2024 SecurityScorecard Research: Adversaries Exploit Third-Party Vulnerabilities to Maximize the Stealth, Speed, and Impact of Ransomware Attacks
May 02 2024 - 12:00PM
Business Wire
SecurityScorecard today announced findings from its 2024
Redefining Resilience: Concentrated Cyber Risk in a Global Economy
Research, with McKinsey & Company as a knowledge partner. The
threat research uncovers an extreme concentration of cyber risk in
just 15 vendors, posing serious threats to national security and
global economies. The research also details a surge in adversaries
exploiting third-party vulnerabilities to maximize the stealth,
speed, and impact of supply chain cyberattacks.
This press release features multimedia. View
the full release here:
https://www.businesswire.com/news/home/20240502276957/en/
(Graphic: Business Wire)
Dr. Aleksandr Yampolskiy, CEO and Co-Founder,
SecurityScorecard, stated: “Much like a precarious house
perched on a cliff's edge, the reliance on a handful of vendors
shapes the foundation of our global economy. The question to ask
is: ‘Have we concentrated a mission-critical service to a single
vendor — creating a single point of failure?’”
Third-party vulnerabilities spread like a digital forest
fire
Threat researchers used the SecurityScorecard platform to
identify the supply chain cyber risk across approximately 12
million organizations. Key findings include:
- 150 companies account for 90% of the technology
products and services across the global attack surface.
- 41% of those companies had evidence of at least one
compromised device in the past year.
- 11% had evidence of a ransomware infection in the
past year.
- 62% of the global external attack surface is
concentrated in the products and services of just 15
companies.
- The top 15 third parties have below-average cybersecurity
risk ratings – indicating a higher likelihood of breach.
- Ransomware operators C10p, LockBit, and BlackCat
systematically target third-party vulnerabilities at scale.
Within five minutes of connecting an internet-facing device,
state-sponsored threat actors will find it.
The sheer scale of these companies amplifies their risk of
compromise, posing significant third-party risks to their extensive
customer bases. Defending massive attack surfaces presents a
formidable challenge, even for the most robust security teams.
While these companies must maintain flawless security at all times,
attackers need only exploit a single vulnerability within their
expansive attack surface.
Take action to protect against third-party risk
According to McKinsey, companies spend hundreds of thousands of
dollars per year managing cyber risk within their vendor, and
third-party ecosystem and millions on cyber programs, yet their
billion-dollar business is only as good as the cybersecurity of
their smallest vendor.
Mitigating supply chain cybersecurity requires four key
steps:
- Identify single points of failure
- Continuously monitor the external attack surface
- Automatically detect new vendors
- Operationalize vendor cybersecurity management
Charlie Lewis, Partner, McKinsey, added: “The
interconnected nature of our digital landscape requires a shift in
how companies think about their cyber ecosystem risk — it is no
longer just about your resilience, you need to consider the broader
system and how to build mutual support with peers, competitors, and
your vendors.”
Additional resources
- Download the 2024 SecurityScorecard Redefining Resilience:
Concentrated Cyber Risk in a Global Economy Research.
- To learn more about SecurityScorecard threat intelligence,
visit our website.
About SecurityScorecard
Will AI save or destroy the planet? Visit Booth #6353 Moscone
North at RSA to find out.
Funded by world-class investors, including Evolution Equity
Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood
Capital, and others, SecurityScorecard is the global leader in
cybersecurity ratings, response, and resilience, with more than 12
million companies continuously rated.
Founded in 2014 by security and risk experts Dr. Aleksandr
Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented security
ratings technology is used by over 25,000 organizations for
enterprise risk management, third-party risk management, board
reporting, due diligence, cyber insurance underwriting, and
regulatory oversight.
SecurityScorecard makes the world safer by transforming how
companies understand, improve, and communicate cybersecurity risks
to their boards, employees, and vendors. SecurityScorecard achieved
the Federal Risk and Authorization Management Program (FedRAMP)
Ready designation, highlighting the company’s robust security
standards to protect customer information, and is listed as a free
cyber tool and service by the U.S. Cybersecurity &
Infrastructure Security Agency (CISA). Every organization has the
universal right to its trusted and transparent Instant
SecurityScorecard rating. For more information, visit
securityscorecard.com or connect with us on LinkedIn.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20240502276957/en/
Ashley Nakano SecurityScorecard securityscorecard@10fold.com