The inherent risks associated with the software supply chain have always been there, but they’ve only become blatantly obvious to most outside observers recently as high-profile attacks against providers such as SolarWinds and Kaseya have emerged and cast years-long shadows over customers. But new data shows that nearly every organization has a relationship with a company that has had a breach recently, and many companies have relationships with dozens or hundreds of fourth parties that have had an incident.
The data, compiled in a new report by Cyentia Institute and SecurityScorecard, shows that it’s not just the direct suppliers that pose a risk to organizations, it’s those suppliers’ suppliers, and on down the line. The report comprises data from more than 235,000 first-party organizations, as well as more than 73,000 third and fourth parties that those companies have relationships with. Among the key findings is that about 98% of the first party organizations the companies surveyed had a direct relationship with a third party that has experienced a breach in the last two years.
“This does not mean that those organizations were involved or impacted by those breaches. It doesn’t even mean that the nature of the relationship between the victim and its third parties is such that the breach could propagate to them. But, it does mean that nearly every organization is at least indirectly exposed to risk from circumstances outside their control,” the new report says.
The researchers found that a typical organization has about 10 direct third-party relationships, and 75 percent of organizations have fewer than 30. Those numbers vary by the size of the organization, of course, but also by industry. Information services is at the top of the chart, with about 25 third-party relationships per organization, with hospitality and health care next on the list, with about 15.5.
“The breach data is interesting. I’ve never had a data set like this and it’s pretty cool because I’ve never been able to study this information,” said Wade Baker, co-founder of Cyentia Institute.
“I find the explosion of moving from organizations directly using a partner, to one tier out a huge multiple. It’s interesting. I’ve always been fascinated with how companies manage their own security postures as opposed to how their partners do it.”
“Teams more and more are looking at security for their direct partners."
Also of note is that government agencies and companies in the finance sector were toward the bottom of the list with the fewest number of direct relationships.
“Many things contribute to that outcome. Both are heavily regulated, which generally translates to higher due diligence and compliance requirements when it comes to third-party, tech-centric relationships. Also keep in mind that most organizations in the public sector aren’t giant federal/central institutions; they’re local and state- level agencies with smaller Internet footprints,” the report says.
One result of the recent spate of software supply chain attacks is that security teams and IT teams in general have become more aware of the risks of third-party suppliers and how quickly those risks can turn into incidents.
“Teams more and more are looking at security for their direct partners. Instead of doing some surveys, they’re using this. It’s definitely on their radar and they’re aware they’re in this ecosystem that maybe they’re not working with directly, but we’re all in this together,” Baker said.
The data also reveals that most first-party organizations are in much better shape security wise than the vendors that they work with.
“The results justify concern when it comes to the security posture of third-party vendors. Twice the proportion of primary organizations achieve the highest security rating of A, while third parties are nearly 5x more likely to receive an F on their scorecard. Not great news, but not entirely unexpected either for those familiar with third-party risk management,” the report says.