Virtually all of the UK’s most valuable publicly traded firms have suppliers that suffered a breach in the past year, according to a new report from SecurityScorecard.
The security vendor, which is exhibiting at Infosecurity Europe 2024, gathered various data points to calculate the security posture of FTSE 100 firms, for its study, The United Kingdom Top 100 Companies: Cybersecurity Threat Report. Each was given an overall score, graded A-F, based on 10 factors that predict a security breach.
UK firms in general were given higher scores than their continental neighbors. Just 24% received a C grade or below, compared to much higher shares in France (40%), Italy (41%) and Germany (34%).
However, 12% experienced a security breach over the reporting period (March 2023-March 2024) versus 8% of German companies, 7% of French organizations and just 3% of Italian firms.
Read more on supply chain breaches: Thousands of Dollar Tree Staff Hit By Supplier Breach
This could be explained in part by supply chain exposure. Some 97% of UK FTSE 100 firms had a breach in their third-party ecosystem – compared to 94% in Germany and 95% in Italy.
SecurityScorecard warned that threat actors are increasingly targeting smaller suppliers to reach their better protected partners, using the former as a stepping stone into the corporate networks and systems of the latter.
“Third-party risk management is a key component of any robust cybersecurity program, and the companies represented in this report would benefit by making it a priority. Organizations in the UK and in Europe as a whole need to do more now if they are going to be ready for the implementation of DORA [Digital Operational Resilience Act] by January 2025, as well as the NIS2 directive,” argued Will Gray, director of Northern Europe for SecurityScorecard.
“The rise of data breaches across Europe demonstrates that UK companies still need to make third-party risk management (TPRM) an integral component of not only their security program but of their vendor selection process as well.”
Yet it’s not just third-party risk facing these organizations – SecurityScorecard also found that 97% of the FTSE 100 had a breach in their fourth-party ecosystem.
These can be particularly hard to detect and mitigate, as they effectively mean a supplier has had a breach in its own supply chain.
Many organizations suffered the impact of such breaches in the MOVEit campaign. Clients of payroll provider Zellis such as the BBC, Boots and BA were impacted when the firm suffered a breach via the popular file transfer software.
SecurityScorecard claimed that the energy and “basic materials” sectors were the most secure, with only 12% and 16% of companies in these sectors reporting third-party breaches.
None in these sectors received a C rating or below, while in financial services, only 5% did. The communications sector had the lowest overall security posture, with 70% given a C rating or below.