Kelly-White By: Kelly White, Founder, RiskRecon by Mastercard

Vendor-Based Breach Events Now 32% of Total – Exceeding Internal Actors

A Lesson from 14,413 Breach Events

At RiskRecon, we closely monitor material publicly reported cybersecurity breach events as part of our cybersecurity ratings services. From 2012 to 2023, we have cataloged and analyzed 14,413 material, publicly reported breach events. For the first time, the count of breach events due to compromise of a vendor exceeded that of breach events from internal actors, accounting for 32% of all publicly reported breach events.

chart

The fact that in 2023 third-party breach events now exceed those from internal actors by nearly three times is likely not a surprise to most. The high-profile breach events of 2023 made the issue obvious, such as MoveIT, where numerous companies had their data exposed due to compromise of third and even fourth-party systems. And halfway into 2024, the trends don’t seem to be changing. One only needs to look at the Change Healthcare ransomware attack to see that companies that offer business-to-business services are a prime target and that their failure can wreak havoc on an entire industry.

While it is obvious now that good third-party risk management is essential, this hasn’t always been the case. From my position as a CISO and then as a third-party risk management solution provider, from 2012 through 2019, very few organizations were sincere about managing third-party risk or even had any program at all. Some organizations with only check box third-party risk management programs or no programs at all would point to the breach event rates and say they were too low to be of any concern. Other organizations would take the position that there is no way for them to effect change with their partners necessary to reduce risk. And this wasn’t without merit, as I engaged with many CISOs of B2B providers who would go so far as to state that their risk management program was none of their customers business, with some refusing to share information anyone except their largest customers.

In this climate of resistance to third-party risk management, I saw many companies, particularly the larger financial and healthcare organizations, building strong third-party risk management programs, leveraging both questionnaires, cybersecurity ratings, and other sources of OSINT to assess and continuously monitor the cybersecurity health and hygiene of their vendors. In all cases, I observed that their organizations had a clear understanding and appropriate prioritization of their third-party portfolio risks and were making measured investments to manage those risks. In doing so, they established the foundation practices that are now common today and are well prepared for the rapidly growing third-party threat landscape.

Two major events since 2019 that motivated the latecomers to get onboard with taking third-party risk seriously. First, the SolarWinds Orion breach in 2020 raised the risk consciousness of both customer and vendors. From a customer perspective, SolarWinds raised awareness at the C and board-levels to the disturbing reality that their organizations could be deeply compromised and controlled because of some software that they, in most cases, didn’t even know existed. From a vendor perspective, SolarWinds forced them to get serious about demonstrating their worthiness to be trusted as they watched SolarWinds drop 40% on the day the breach was disclosed and have seen it remain below those levels into 2024 at least in part due to departure of customers to other providers.

The second major development has been the rapid rise of destructive ransomware, which now hangs over the head of every organization as a constant threat that could damage their ability to operate. And it isn’t just their own environment they must be concerned about; there are plenty of examples of broad impact due to the crippling of critical suppliers. Our 2024 State of Ransomware Report is worth reading.

What will trendlines show at the end of 2024? In 2025? Beyond? We have enough data in 2024 to know that we are going to see that breaches due to compromise of a vendor will continue to be a very large percentage of breach events. And perhaps there has been a tectonic shift in the threat landscape in that criminals have learned that their best leverage point for getting a payout is to own a company who has operational and data protection obligations to other organizations.

It is past time to get very serious about managing third-party risk well, which means leveraging good information to hold your vendors accountable to maintaining good cybersecurity hygiene and risk management practices. After all, according to our studies, companies with good hygiene have dramatically better risk outcomes than those that do not.

Ready to see how RiskRecon’s new module can enhance your security?

Get in touch