Press February 1, 2023

SecurityScorecard Research Shows 98% of Organizations Globally Have Relationships With At Least One Breached Third-Party

Information Services Sector Has 2.5 Times the Number of Third-Party Relationships than the Overall Average; Finance Sector Claims the Fewest Third-Party Relationships.

NEW YORK – February 1, 2022 – SecurityScorecard, the global leader in cybersecurity ratings, and The Cyentia Institute, an independent cybersecurity research firm, today published research that found 98 percent of organizations have vendor relationships with at least one third-party that has experienced a breach in the last two years. The study, Close Encounters of the Third (and Fourth) Party Kind, also found that 50 percent of organizations have indirect relationships with at least 200 breached fourth-party vendors in the last two years.

“An organizations’ attack surface spans beyond just the technology that they own or control, ” said Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard. “Organizations need visibility into the security ratings of their entire third and fourth party ecosystem so that they can know in an instant whether an organization deserves their trust and can take proactive steps to mitigate risk.”

The study, which analyzed data from over 235,000 (primary) organizations across the globe and more than 73,000 vendors and products used by them directly (third-parties) or used by their vendors (fourth-parties), offers an in-depth examination of how the interdependence of modern digital supply chains impacts organizational cyber risk exposure.

Key Report Findings

  • Security Suffers The More Third- and Fourth-Parties You Have: For every third-party vendor in their supply chain, organizations typically have indirect relationships with 60 to 90 times that number of fourth-party relationships. Research showed that compared to the primary organization, third-party vendors are five times more likely to exhibit poor security. Approximately 10% of third-party vendors receive an F rating among organizations that earn an A rating for their own security posture.
  • Information Services Leads in Third-parties: The research revealed the Information Services sector maintained an average of 25 vendors– 2.5 times the number of third party-relationships than the overall average of 10. The Finance sector was on the other end of the spectrum averaging 6.5 third-party relationships. The healthcare sector averaged 15.5 vendors per organization and the Insurance sector averaged 11 vendors. “Each of these third-party relations represents exposure to risk,” continued Baker. “In some cases due to compromised third-party code, or in others due to usage of an insecure hosting provider.”
  • Exposing Data to International Third-parties Increases Regulatory and Security Requirements: While examining the regional dimension of third-party relationships, SecurityScorecard found that 59% of organizations have vendors from five or fewer countries, while roughly 14% work with vendors spanning 10 or more countries.

“SecurityScorecard’s data demonstrates why managing cyber risk across the digital supply chain is absolutely critical as threat actors work to exploit any vulnerabilities an organization may have. Identifying and continuously monitoring all partners and customers within the digital supply chain is key to staying ahead of any potential risk,” said Wade Baker, partner and co-founder at The Cyentia Institute. “By having full visibility into the security posture of their third and fourth parties, organizations can work with their vendors to address any cybersecurity gaps they may have in their infrastructure and, in turn, reduce their own level of cyber risk.”

Additional resources

About SecurityScorecard

Funded by world-class investors including Evolution Equity Partners, Silver Lake Waterman, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings with more than 12 million companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented rating technology is used by over 30,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard is the first cybersecurity ratings company to offer digital forensics and incident response services, providing a 360-degree approach to security prevention and response for its worldwide customer and partner base. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors. Every organization has the universal right to their trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.

About The Cyentia Institute

The Cyentia Institute is a research and data science firm working to advance cybersecurity knowledge and practice. Cyentia pursues this goal through data-driven studies like this one and through a growing portfolio of analytic services. Learn more at www.cyentia.com.

Media contact

Ashley Nakano
SecurityScorecard
[email protected]