Breaches Beyond Borders: The global landscape of third-party risk

While the digital landscape evolves, cyber adversaries are also honing their tactics, techniques, and procedures. In recent years, ransomware groups have made major disruptions to the digital supply chain and, by extension, the world economy. What’s more, organizations in all industries and geographies continue to grapple with third-party threats, zero-day vulnerabilities, and more. 

To examine this issue further, SecurityScorecard recently released the Global Third-Party Cyber Breach report, which found that 29% of all breaches are attributable to a third-party vector.

A deep dive into third-party risk

To make sense of this network of third-party cyber risk, SecurityScorecard recently hosted a webinar to get behind the scenes of the Cyber Breach report. Jeff Laskowski, the SVP and GM of our Professional Services team moderated a lively discussion with CISO and Executive Advisor Moriah Hara, as well as the report’s author, SecurityScorecard Principal Security Analyst, Paul Prudhomme. 

“So to put it very simply, when you have more third parties, you have more third party risk. And when you have more third party risk, you have more third party breaches.”

-Paul Prudhomme, Principal Security Analyst, SecurityScorecard

Healthcare in the crosshairs 

According to the report, the healthcare industry has emerged as the most popular target for third-party breaches, followed closely by the financial services industry. This is most likely because this field in particular has more numerous, diverse, and specialized third-party relationships that enable third-party breaches. To put it simply: they have more third-party risk because they have more third parties.

But Moriah Hara pointed out a few other reasons for an increase in cyber threats in healthcare: namely, tighter budgets and the fact that they are more likely to pay ransomware because of the critical nature of their business. In other words, the healthcare field can’t afford to have life-saving services taken offline for long periods of time. 

The geography of cyber threats 

The discussion shifted to another SecurityScorecard report, Cyber Resilience Scorecard which was presented earlier this year at the World Economic Forum Annual Meeting in Davos. This research found that ten threat actor groups are responsible for 44% of global cyber incidents. Notably, 24% of the world’s cyberattacks originate in China, and 15% originate in Russia. 

North America appears to be a prime target for cyberattackers for two main reasons. The first is due to its economic prosperity (i.e., it’s where the money is). The second is due to English as the primary spoken language. Speaking English makes North America more accessible from a targeting perspective, simply because it’s easier to social engineer people and exploit their data if you speak their language. 

Aside from monetary incentives, the geopolitical nature of threats cannot be underestimated. Nation-state cyberattacks are on the rise worldwide, and often flare up during times of armed conflict; for instance, the war between Israel and Hamas and Russia’s ongoing war in Ukraine. Recently, hackers backed by China’s government spy agency were accused by the US and UK of conducting a years-long cyberattack campaign that targeted politicians, journalists, and organizations. As a result, the US announced sanctions on Monday against hackers linked to the cyber-espionage group APT31. 

Make your vendors a priority

Moriah stressed that hackers are starting to work smarter, not harder. Cyber criminals are increasingly conducting major exploits at scale. As a result, they’re thinking: “Why spend my time infecting one company, when I can spend that same amount of time infecting one technology company that enables me to infect thousands of other victims?” To that end, she pointed out the SolarWinds Orion breach, which was the result of a single network monitoring tool becoming infected with malware. As a result, 18,000 customers were impacted, including some of the most sophisticated companies in the world. 

 “Why spend my time infecting one company, when I can spend that same amount of time infecting one technology company that enables me to infect thousands of other victims?” 

-Paul Prudhomme

Similarly, over a month ago, Change Healthcare disclosed that it had been impacted by a ransomware attack carried out by the threat actor group BlackCat/ALPHV. The group received a ransomware payment in the amount of $22 million (in the form of 350 Bitcoins). The attack occurred at the end of February, and the fallout is still ongoing. UnitedHealth Group (UHG), which owns Change, has made payments of $2.5 billion to healthcare providers impacted by the disruption. 

Recommendations for managing third-party supply threats

The panel recommends the following steps to protect your organization from third-party supply chain threats: 

• Make third-party risk management (TPRM) a key component of your security and vendor selection processes.
• These programs should cover the complex ecosystem of third parties through which patients and their data progress to receive care and billing, as well as providers of specialized healthcare software.
• Security teams should immediately apply patches for CVE-2023-34362, CVE-2023-4966, and CVE-2023-45727, if using the affected software and have not already done so. 
• Don’t pay ransoms to ransomware operators or attackers, if you can avoid it. These criminals might not keep their word and still might be unable or unwilling to decrypt encrypted files, or they might sell your data anyway. Furthermore, paying a ransom suggests to threat actors that you are vulnerable to extortion attempts and, and a more desirable target for future attacks. 

To access the full findings and recommendations from the SecurityScorecard 2024 Global Third-Party Cybersecurity Breach Report, download the report now.