Third and fourth-party ecosystems have emerged as a major source of security risk, after new research highlighted that all (100%) of Europe’s biggest financial services companies suffered a breach via their suppliers in the past year.
SecurityScorecard assessed the region’s top companies by market capitalization. It gathered “significant amounts of non-intrusive data” on their security posture, in order to grade them (A-F) “based on 10 factors that are predictive of a security breach.”
Only a quarter (26%) achieved an A grade for cybersecurity resilience, according SecurityScorecard's grading system. Some 98% suffered a third-party breach, and the same share experienced a fourth-party breach over the past year, the report claimed.
Around a fifth (18%) suffered a direct breach in the period.
Companies with an A rating are 13.8 times less likely to experience a breach compared to those with an F rating.
However, there was significant variance between sectors. A third (33%) of financial services firms were handed a C rating or below – which is particularly concerning given the new EU Digital Operational Resilience Act (DORA) is set to come into force on January 17, 2025.
By contrast, transport had no companies rated C or lower, while in the energy sector three-quarters (75%) were graded C or below.
"Supply chain vulnerabilities remain a critical threat, as adversaries exploit these weak links to infiltrate global networks,” said Ryan Sherstobitoff, SecurityScorecard SVP of threat research and intelligence.
“With regulations like DORA set to reshape cybersecurity standards, European companies must prioritize third-party risk management…to safeguard their ecosystems.”
France Lags Behind the Pack
Scandinavian companies were assessed to be most secure, with only 20% receiving a C rating or lower, compared to the UK (24%), Germany (34%), France (40%), and Italy (41%). France had the highest rate of third- (98%) and fourth-party (100%) vendor breaches.
SecurityScorecard urged companies to improve their resilience to breaches by focusing on:
- Eliminating DNS misconfigurations
- Strengthening the security of all endpoints, by addressing vulnerabilities in laptops, desktops, mobile devices and BYOD devices
- Establishing a consistent and timely patching cadence for all assets