New research from SecurityScorecard and The Cyentia Institute reveals a stark reality for Global 2000 companies: 99% are directly connected to vendors that have experienced recent breaches. Prompted by new SEC cybersecurity requirements demanding transparency around third-party breaches, this report underscores the rising threat of multi-party supply chain attacks.
The report features a cover inspired by the 1999 Japanese film Godzilla 2000. The report notes the film’s tagline to explain the cover’s relevance. It says, “Earth’s most powerful monster fights a beast from outer space,” symbolizing the daunting challenge of supply chain cyber risk. While not alien, these risks originate outside an organization’s boundaries, and even the best defenses can be breached. (Editor’s note: it’s the coolest report cover we can recall seeing.)
What follows is our summary; you can get the full report here.
Escalating Risks in a Connected World
In today’s interconnected business environment, a vulnerability in one part of the supply chain can have ripple effects throughout the entire ecosystem. High-profile incidents involving Change Healthcare, MOVEit, and SolarWinds highlight the urgent need for robust supply chain cybersecurity measures. The report emphasizes that understanding and managing supply chain risks is essential to prevent disruptions and safeguard the foundational elements of our interconnected economy.
Key Findings:
- Near-Universal Exposure: An alarming 99% of Global 2000 companies are directly connected to vendors that have experienced breaches.
- Security Ratings: 70% of Global 2000 companies earn solid SecurityScorecard ratings, but 30% struggle to maintain a strong security posture.
- Widespread Usage: 20% of these megacorporations utilize a thousand or more products.
- High Costs: Supply chain incidents are 17 times more expensive to remediate and manage than first-party breaches.
- Staggering Losses: Estimated total losses from breaches in the Global 2000 range between $20 billion and $80 billion over 15 months.
- Breach Frequency: 12% of these companies experienced at least one security breach during the 15-month period of analysis.
- Third-Party Relationships: The Global 2000 uses nearly 18,000 IT products/services from 8,000 vendors. In 69% of these relationships, vendors have a weaker security posture than their Global 2000 partner.
- Concentration Risk: 90% of Global 2000 companies act as vendors to each other, exacerbating the risk of interdependence.
- Common Vendors: At least 80% of Global 2000 companies use the top eight most widely deployed vendors, and four of the top five have reported recent breaches.
Understanding the Impact
Wade Baker, partner and co-founder at The Cyentia Institute, highlighted the scale of the issue: “While the Global 2000 boasts $51.7 trillion in revenue, their interconnectedness exposes them to severe cyber risks—with 99% directly connected to breached vendors and incidents that can tally into the tens of billions.”
Know Your Supply Chain
Supply chain events, such as malicious DDoS attacks or faulty patch updates, often deny users access to critical systems. To mitigate these risks, companies must continuously monitor their external attack surfaces, identify single points of failure, and automatically detect new vendors. This proactive approach is critical for maintaining cyber resilience.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, stressed the importance of managing supply chain risks: “The world is only beginning to grasp the potential for chaos caused by concentration risk. Understanding and managing your supply chain is critical to protect business continuity. It’s not just about preventing disruptions; it’s about safeguarding the very foundation of our interconnected economy.”
Methodology and Data Analysis
The Forbes Global 2000 ranks the largest companies worldwide based on sales, profits, assets, and market value, with the 2024 list accounting for $51.7 trillion in revenue, $4.5 trillion in profits, $238 trillion in assets, and $88 trillion in market value. This report focuses on the security posture and breach history of the Global 2000, examining the third-party vendors surrounding each company to understand cyber risks across their supply chains.
SecurityScorecard’s Automatic Vendor Detection capability was instrumental in identifying the vendors and products comprising modern organizations’ digital supply chain. SecurityScorecard continuously scans the internet to identify vulnerable and misconfigured digital assets, leveraging a global network of sensors and commercial and open-source intelligence sources.
Conclusion
The interconnected nature of modern business means that no organization is immune to the cascading effects of supply chain vulnerabilities. This report provides a comprehensive analysis of the risks facing Global 2000 companies and their third-party vendors, offering valuable insights for bolstering defenses and mitigating the impacts of third-party cyber threats. As Sun Tzu famously said, “Know your enemy…and know yourself.” For today’s organizations, this means knowing your supply chain and its potential risks.
Source: 99% of Global 2000 Companies Directly Connected to a Supply Chain Breach.
Other News: Supply Chain, Logistics and Cyber Insurance(Opens in a new browser tab).
Other News: Almost Three-quarters of Ransomware Victims Hit Multiple Times.