ETFOptimize | High-performance ETF-based Investment Strategies

Quantitative strategies, Wall Street-caliber research, and insightful market analysis since 1998.
ETFOptimize | HOME
Close Window
Recent Quotes
My Watchlist
Indicators
Markets
Stocks
ETFs
Tools
Markets:
Overview
News
Currencies
International
Treasuries

SecurityScorecard Third-Party Breach Report Reveals Software Supply Chain as Top Target for Ransomware Groups

By: via Business Wire

SecurityScorecard today released its Global Third-Party Cybersecurity Breach Report. Using the world’s largest proprietary risk and threat data set, SecurityScorecard STRIKE threat hunters analyzed threat groups’ mass exploitation of supply chain vulnerabilities.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20240228143611/en/

(Graphic: SecurityScorecard)

(Graphic: SecurityScorecard)

Key findings include:

  • 75% of third-party breaches targeted the software and technology supply chain

    Technology supply chain vulnerabilities enable threat actors to scale their operations with minimal effort. With 75% of organizations at the highest levels of maturity saying their third-party risk program is manual as of 2021,1 companies must work toward automating vendor identification and cyber risk management across their entire digital ecosystem.
  • 64% of third-party breaches linked to C10p

    Notorious cybercrime group C10p was responsible for 64% of attributable third-party breaches in 2023, followed only by LockBit at a mere 7%. C10p’s dominance was fueled by extensive attacks exploiting a critical zero-day vulnerability in MOVEit software.
  • 61% of third-party breaches attributed to MOVEit (CVE-2023-34362)

    The three most widely exploited vulnerabilities (MOVEit, CitrixBleed, and Proself) were involved in 77% of all third-party breaches involving a specified vulnerability. One reason for the widespread impact of the MOVEit zero-day was that it enabled third-party, fourth-party, and even fifth-party compromises.
  • At least 29% of breaches have third-party attack vectors

    STRIKE found that approximately 29% of all breaches in 2023 were attributable to a third-party attack vector. This number likely underestimates the actual percentage, as many reports on breaches do not specify an attack vector.
  • 35% of third-party breaches affected healthcare organizations

    Healthcare and financial services emerged as the sectors most heavily impacted by third-party breaches, with healthcare accounting for 35% of total breaches and financial services accounting for 16%.
  • 64% of all third-party breaches occurred in North America

    The U.S. alone represents 63%. However, geographic variations may be harder to detect due to the overwhelming focus of news media and security vendors on breaches in the U.S. and other English-speaking countries.
  • 48% of all breaches in Japan involved a third-party attack vector

    While third-party breaches are common globally, Japan stood out with a significantly higher rate. As a hub for automotive, manufacturing, technology, and financial services, Japanese companies face significant supply chain cyber risk due to international dependencies.

Covering adversary activity in 2023, the report is the first to use SecurityScorecard’s new BreachDetails threat intelligence solution. With BreachDetails, SecurityScorecard increased the level of breach data coverage by 50% compared to other breach notice providers by using AI to analyze news articles, ransomware notifications, and international sources.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, SecurityScorecard, said:

“The supplier ecosystem is a highly desirable target for ransomware groups. Third-party breach victims are often not aware of an incident until they receive a ransomware note, allowing time for attackers to infiltrate hundreds of companies without being detected.”

Third-party cyber risk is a business risk

As cited by the new SEC cybersecurity incident disclosure requirements, SecurityScorecard discovered that 98% of organizations have a relationship with a third party that has been breached. According to Gartner® Research, “The cost of a third-party cyber breach is typically 40% higher than the cost to remediate an internal cybersecurity breach.”2 With the average cost of a data breach reaching $4.45 million in 2023, organizations must proactively operationalize supply chain cyber risk management to mitigate business risk.

Dr. Aleksandr Yampolskiy, CEO and Co-Founder, SecurityScorecard, stated:

“In the digital age, trust is synonymous with cybersecurity. Companies must improve resilience by implementing continuous, metrics-driven, business-aligned cyber risk management across their digital and third-party ecosystems.”

For more in-depth analysis and to download the report, visit: https://securityscorecard.com/reports/third-party-cyber-risk/

1 Forrester, “The State Of Third-Party Risk Management, 2022,” Alla Valente, October 20, 2022

2 Gartner, “4 Third-Party Risk Principles That CISOs Must Adopt,” Luke Ellery, Sam Olyaei, 21 June, 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved

About STRIKE

The STRIKE threat intelligence team combines unique threat intelligence, incident response experience, and supply chain cyber risk expertise. Backed by SecurityScorecard technology, STRIKE is a strategic advisor to CISOs worldwide. STRIKE threat research empowers organizations to understand supply chain cyber risk and adversary attribution.

About SecurityScorecard

Funded by world-class investors, including Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings, response, and resilience, with more than 12 million companies continuously rated.

Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented security ratings technology is used by over 25,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight.

SecurityScorecard makes the world safer by transforming how companies understand, improve, and communicate cybersecurity risk to their boards, employees, and vendors. SecurityScorecard achieved the Federal Risk and Authorization Management Program (FedRAMP) Ready designation, highlighting the company’s robust security standards to protect customer information, and is listed as a free cyber tool and service by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Every organization has the universal right to its trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.

Contacts

Stock Quote API & Stock News API supplied by www.cloudquote.io
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the following
Privacy Policy and Terms Of Service.


 
IntelligentValue Home
Close Window

DISCLAIMER

All content herein is issued solely for informational purposes and is not to be construed as an offer to sell or the solicitation of an offer to buy, nor should it be interpreted as a recommendation to buy, hold or sell (short or otherwise) any security.  All opinions, analyses, and information included herein are based on sources believed to be reliable, but no representation or warranty of any kind, expressed or implied, is made including but not limited to any representation or warranty concerning accuracy, completeness, correctness, timeliness or appropriateness. We undertake no obligation to update such opinions, analysis or information. You should independently verify all information contained on this website. Some information is based on analysis of past performance or hypothetical performance results, which have inherent limitations. We make no representation that any particular equity or strategy will or is likely to achieve profits or losses similar to those shown. Shareholders, employees, writers, contractors, and affiliates associated with ETFOptimize.com may have ownership positions in the securities that are mentioned. If you are not sure if ETFs, algorithmic investing, or a particular investment is right for you, you are urged to consult with a Registered Investment Advisor (RIA). Neither this website nor anyone associated with producing its content are Registered Investment Advisors, and no attempt is made herein to substitute for personalized, professional investment advice. Neither ETFOptimize.com, Global Alpha Investments, Inc., nor its employees, service providers, associates, or affiliates are responsible for any investment losses you may incur as a result of using the information provided herein. Remember that past investment returns may not be indicative of future returns.

Copyright © 1998-2017 ETFOptimize.com, a publication of Optimized Investments, Inc. All rights reserved.