Supply chain cyber risk concentrated in 15 top vendors with ‘below average’ cybersecurity
SecurityScorecard warns of ‘precarious single points of failure’ in cyber risk management
Experts have warned of an “extreme concentration” of supply chain cyber risk, with just 15 technology firms providing 62% of products and services used by 12 million public and private organisations around the world. To makes matters worse, the research by SecurityScorecard and McKinsey & Company warns that these big tech companies have room for improvement when it comes to cybersecurity.
“The sheer scale of these companies amplifies their risk of compromise, posing significant third-party risks to their extensive customer bases,” SecurityScorecard says, publishing its report findings at the RSA Conference in San Francisco. “This extreme reliance on a select few “heavy hitters” creates precarious single points of failure. In the event of a major outage or security breach, the vendor’s entire customer base is at risk.”
SecurityScorecard also warns of a “surge” in actors exploiting third-party vulnerabilities that “spread like a digital forest fire” to maximise the impact of supply chain cyberattacks.
Dr Aleksandr Yampolskiy, CEO at SecurityScorecard, says: “Much like a precarious house perched on a cliff’s edge, the reliance on a handful of vendors shapes the foundation of our global economy. The question to ask is: ‘Have we concentrated a mission-critical service to a single vendor — creating a single point of failure?’”
The majority (90%) of technology products and services used by organisations worldwide come from a wider pool of 150 companies, the report says. But 41% of these firms have evidence of at least one compromised device in the past year and 11% had evidence of a ransomware infection. The leading source of compromise was adware (35%) followed by malware (32%).
Moreover, the leading 15 providers of software and other services to companies all around the world have below-average cybersecurity ratings compared with the broader pool of 150 companies, increasing their risk of a breach, according the research.
“This finding is concerning, as these companies have greater potential to inflict third-party harm on their customers due to their lower security ratings and extremely large market share,” it says.
“Defending massive attack surfaces presents a formidable challenge, even for the most robust security teams. While these companies must maintain flawless security at all times, attackers need only exploit a single vulnerability within their expansive attack surface,” the report warns.
Ransomware groups such as LockBit, BlackCat and C10p “systematically target third-party vulnerabilities at scale”, SecurityScorecard says, and state-sponsored threat actors can identify vulnerabilities within five minutes of connecting to an internet-facing device.
McKinsey says organisations’ cybersecurity programmes are “only as good as the cybersecurity of their smallest vendor”. It advises organisations working to mitigate supply chain cybersecurity to:
- Identify single points of failure
- Continuously monitor the external attack surface
- Automatically detect new vendors
- Operationalise vendor cybersecurity management
Charlie Lewis, partner at McKinsey, says: “The interconnected nature of our digital landscape requires a shift in how companies think about their cyber ecosystem risk – it is no longer just about your resilience; you need to consider the broader system and how to build mutual support with peers, competitors, and your vendors.”