SecurityScorecard has announced findings from its 2024 Redefining Resilience: Concentrated Cyber Risk in a Global Economy Research, with McKinsey & Company as a knowledge partner.
The threat research uncovers an extreme concentration of cyber risk in just 15 vendors, posing serious threats to national security and global economies. The research also details a surge in adversaries exploiting third-party vulnerabilities to maximise the stealth, speed and impact of supply chain cyberattacks.
Dr. Aleksandr Yampolskiy, CEO and Co-Founder, SecurityScorecard, said: “Much like a precarious house perched on a cliff’s edge, the reliance on a handful of vendors shapes the foundation of our global economy. The question to ask is: ‘Have we concentrated a mission-critical service to a single vendor — creating a single point of failure?’”
Third-party vulnerabilities spread like a digital forest fire
Threat researchers used the SecurityScorecard platform to identify the supply chain cyber risk across approximately 12 million organisations.
Key findings include:
- 150 companies account for 90% of the technology products and services across the global attack surface.
- 41% of those companies had evidence of at least one compromised device in the past year.
- 11% had evidence of a ransomware infection in the past year.
- 62% of the global external attack surface is concentrated in the products and services of just 15 companies.
- The top 15 third parties have below-average cybersecurity risk ratings – indicating a higher likelihood of breach.
- Ransomware operators C10p, LockBit and BlackCat systematically target third-party vulnerabilities at scale. Within five minutes of connecting an internet-facing device, state-sponsored threat actors will find it.
The sheer scale of these companies amplifies their risk of compromise, posing significant third-party risks to their extensive customer bases. Defending massive attack surfaces presents a formidable challenge, even for the most robust security teams. While these companies must maintain flawless security at all times, attackers need only exploit a single vulnerability within their expansive attack surface.
Take action to protect against third-party risk
According to McKinsey, companies spend hundreds of thousands of dollars per year managing cyber risk within their vendor, and third-party ecosystem and millions on cyber programs, yet their billion-dollar business is only as good as the cybersecurity of their smallest vendor.
Mitigating supply chain cybersecurity requires four key steps:
1. Identify single points of failure
2. Continuously monitor the external attack surface
3. Automatically detect new vendors
4. Operationalise vendor cybersecurity management
Charlie Lewis, Partner, McKinsey, said: “The interconnected nature of our digital landscape requires a shift in how companies think about their cyber ecosystem risk — it is no longer just about your resilience, you need to consider the broader system and how to build mutual support with peers, competitors and your vendors.”