3 min

The risk that companies are faced with a cyber incident due to a relationship with a supplier or “fourth party” in the supply chain is increasing. This according to SecurityScorecard and The Cyentia Institute in a joint study.

The survey found that 98 percent of companies surveyed have a relationship with a third party that has experienced at least one cyber incident in the past two years. The cybersecurity rating specialist and independent cybersecurity researcher additionally state that half of surveyed companies also have relationships with at least 200 of their suppliers’ vendors, so-called “fourth-party” suppliers, that had an incident in the past two years.

The security researchers surveyed a total of 235,000 companies worldwide and more than 73,000 suppliers and products they used or were again used by their suppliers. The goal of this study was to identify how the dependency of today’s modern digital supply chain affects the security risks companies face today.

Three conclusions

The researchers drew three main conclusions from the study. First, the more relationships they have with third and fourth parties, the more companies are at risk of a security incident. For every relationship they have with a third party, they have 60 to 90 times a relationship with a fourth party.

Third parties exhibit up to five times worse security posture than their own organization gives themselves. About 10 percent of a company’s third-party suppliers have an F rating, among companies that themselves rate A for their security policies.

IT sector has largest supply chain with third party suppliers

A second important conclusion drawn by security specialists is that companies in the IT sector in particular have many third party suppliers; an average of 25, which is about 2.5 times the average number of 10 suppliers. The financial sector again has the least number of third-party suppliers, 6.5. The health care sector comes out at an average of 15.5 third-party suppliers and the insurance sector at 11.

The researchers point out that each supplier again presents a risk of a potential cyber incident. For example, due to compromised code from these suppliers or using insecure hosting providers.

The more foreign suppliers, the trickier

The third and final important conclusion drawn by the researchers is that exposing corporate data to internationally operating third-party vendors requires more security measures for legal and regulatory purposes. About 59 percent of the companies surveyed have suppliers from five or fewer different countries. About 14 percent work with suppliers from 10 and more different countries.

Screening all suppliers and customers

The data provided by the survey shows that it is very difficult for companies to get their security policies for the entire supply chain right. Yet this is very important since cybercriminals will use any potential vulnerability to carry out attacks.

SecurityScorecard and The Cyentia Institute, therefore, believe that companies should constantly monitor and identify all their partners and customers within the digital supply chain. By doing so, they may be able to counter any potential risk that could come through these parties.

A full understanding of the security policies of third and fourth parties is therefore indispensable, the researchers continue. Companies should therefore work closely with these parties to close gaps in infrastructure security and thereby reduce their own security risk.

Tip: Ransomware fatal for SMBs: security increasingly taken seriously