Virtually all (99%) of the world’s most profitable public companies have IT vendors that suffered a recent security breach, according to new data from SecurityScorecard.
The security vendor drew on its automatic vendor detection capability and in-house intelligence to compile the report, Global 2000: Industry Titans Battle the Beast of Supply Chain Cyber Risk. It covers breaches between Q4 2022 and Q1 2024.
The study claimed that 18,000 different technology and service products are directly used by the Global 2000 and supplied by over 8000 vendors, with the median figure at 361 products, supplied by 144 vendors.
Some 20% of vendors used by the Global 2000 have been breached in the past 15 months on average. Around 40% of Global 2000 firms have between 21 and 50 recently breached vendors, while 15% operate in third-party ecosystems that contain 50 or more vendors with known breaches.
A supplier breach doesn’t necessarily mean that the Global 2000 firm has been directly impacted. However, SecurityScorecard warned that supply chain incidents cost 17 times more to remediate and manage than first-party breaches.
Read more on supply chain risk: Some 98% of Global Firms Suffer Supply Chain Breach in 2021
The report also sounded the alarm over “concentration risk,” which stems from the fact that reliance on ubiquitous technologies can create massive single points of failure, which lead to widespread impacts.
For example, each of the eight most widely deployed vendors are used by at least 80% of Global 2000 companies. Meanwhile, 90% of Global 2000 firms provide products and services to other Global 2000 firms, compounding the risk, the report warned.
Total estimated total losses from Global 2000 breaches ranged between $20bn and $80bn over the 15-month period.
“The world is only beginning to grasp the potential for chaos caused by concentration risk,” argued SecurityScorecard SVP of threat research and intelligence, Ryan Sherstobitoff.
“Understanding and managing your supply chain is critical to protect business continuity. It’s not just about preventing disruptions; it’s about safeguarding the very foundation of our interconnected economy.”
To mitigate supply chain risk, the firm urged companies to:
- Continuously monitor the external attack surface with automated scanning
- Identify single points of failure
- Automatically detect new vendors