Examining the Concentration of Cyber Risk: How supply chains and global economies can adapt

Company mergers, the consolidation of cloud technologies, and the interconnected nature of digital business have all led to a more efficient, fast-paced digital economy. But these advantages have also ushered in a higher degree of cyber risk concentration that stands to threaten national security and global economies. It’s against this backdrop that SecurityScorecard has released its report, “Redefining Resilience: Concentrated Cyber Risk in a Global Economy,” with knowledge contributions from McKinsey and Company. 

The most notable finding from this research points to an extreme concentration of cyber risk in just 15 vendors worldwide, while also detailing a surge in adversaries exploiting third-party vulnerabilities. These 15 companies alone have a market share of 62% of technology products and services detected. The sheer scale of these companies amplifies their risk of compromise, and their enormous attack surfaces make it extremely difficult for even the largest and most well-funded and vigilant security teams to defend them. As a result, security teams have to get it right every time, whereas an attacker only has to find one entry point in their vast attack surfaces to compromise them. 

Because of their large influence, these companies have greater potential to inflict third-party harm on their customers due to their lower security ratings and extremely large market share. These vulnerabilities are the root of many recent, high-profile supply chain attacks that have crippled critical industries. Take, for instance, the cyberattack on Change Healthcare, a major player in medical claims processing in the United States. The February 2024 attack continues to have broad repercussions across the healthcare sector, forcing the company to disconnect over 100 systems and bringing many providers to the brink of closure. 

The group behind the attack on Change Healthcare, known as ALPHV or BlackCat, shares ties with the criminal organization responsible for the infamous Colonial Pipeline attack in 2021. The prevalence of just a few groups being responsible for such large-scale supply disruptions points to much larger concerns about the concentration of risk in the global economy. To highlight this, SecurityScorecard’s Global Cyber Resilience Scorecard found that ten threat actor groups are responsible for 44% of global cyber incidents. 

Exploiting vulnerabilities at scale

Threat actors (such as C10p, LockBit, and BlackCat) are beginning to methodically target third-party vulnerabilities at scale, outlined further in our Global Third-Party Cybersecurity Breach Report. Such vulnerabilities in standard software have become popular attack vectors because of the potential to infect so many victims with relatively little labor input. The most glaring example of this trend was CVE-2023-34362, a critical zero-day SQL injection vulnerability in the MOVEit file transfer software of Progress Software. The ransomware group C10p exploited it in an unusually large-scale campaign in May-June 2023 that affected an unusually large number of victims both directly and via third-party breaches. 

Many organizations that used MOVEit experienced direct compromises. Many organizations that did not use MOVEit themselves but relied on vendors that used it experienced third-party data breaches via those vendors. SecurityScorecard research identified CVE-2023-34362 the most widely exploited vulnerability of 2023 and a top third-party attack vector. Though still ongoing, the MOVEit breach alone is projected to cost around $65B USD. 

The importance of fourth-party risk

While third parties typically receive most of the supply chain scrutiny, fourth-party vendors also create significant risk, which highlights the importance of identifying and assessing the security posture of all Nth parties in a company’s digital ecosystem. As a result, cybersecurity and business leaders alike would benefit from increasing top-level buy-in to defend critical business processes against these Nth party risks. 

Additionally, CISOs should bolster defenses to reduce risk to protect what matters most due to this increased risk. This involves: 

Identifying single points of failure

• Map the critical business processes and technologies to the people that power them to identify any single points of failure. 
• Zero in on the third parties that business continuity depends on. Create a watch list with these “single point of failure” vendors. 
• Automate continuous monitoring, action plans for improvement, collaboration, and vulnerability remediation validation.

Continuously monitoring external attack surface

• Cybersecurity monitoring is a threat detection strategy that uses automation to constantly scan your IT ecosystem for control weaknesses, sending alerts to a security incident and event management (SIEM) system. 
• Companies can use the same threat intelligence they use for their defense against their critical suppliers and inform vendors if they become aware they are at risk.

Automatically detecting new vendors

• Identify cybersecurity concerns across the global vendor landscape and partner with those vendors to improve. 
• Use an automated solution that passively monitors your vendors’ IT deployments to give you valuable visibility into how well they manage cybersecurity risk.

Operationalizing vendor cybersecurity management

• Cybersecurity managed services can own communication directly with third parties to resolve issues on your behalf, including providing support that enables risk resolution. Making sure the response is ready and linked to the Incident Response (IR) playbook. Be able to identify, contain, eradicate, and recover from a cyber attack; if we were to replay Change Healthcare, companies must have an alternative payment process on standby OR be prepared to manage paper claims internally.

As cybersecurity budgets expand, so too do the number of vendors that organizations do business with. Innovation, speed, and ease of use drive competitiveness, but they also open up opportunities for threat actors to exploit third- and fourth-party vulnerabilities. Organizations that seek to position themselves most effectively for the next five years must simultaneously take a proactive posture to building defensive capabilities. Just as a strong investment portfolio is diversified, a strong digital economy should reduce its reliance on a handful of vendors to avoid significant disruptions. With this approach, organizations can ensure greater resilience and, by extension, a safer world.