Worldwide, Organisations Have at Least One Supplier That Has Experienced a Data Breach
Key Points
Source, Global Third-Party Cybersecurity Breaches
– The internal governance standards of third-party service providers vary significantly, introducing a quantifiable risk factor for customers engaging their services.
– Effective governance, driven by policy, starts at the procurement stage, establishing the commercial and technical groundwork for the delivery and monitoring of contracted services.
– Customer GRC, procurement, and security teams must create a unified strategy for third-party engagement, covering compliance and daily security operations oversight.
– In Australia, the Auditors’ General and organisations required to comply with standards like SOCI or CPS230 must, by law and procurement policy, implement third-party governance systems that are as comprehensive as their internal controls.
In the most recent World Economic Forum (WEF), Global Cybersecurity Outlook Report 2024, cyber ecosystem risk is becoming a major problem for businesses and economies alike.
According to WEF, partners within an organisation’s ecosystem can be both its greatest asset and its biggest obstacle to achieving a secure, resilient, and trustworthy digital future.
In the past year, 41% of organisations that experienced a significant incident reported that it was caused by a third party. Additionally, 54% of organizations lack a sufficient understanding of cyber vulnerabilities within their supply chain.
Even among executives who believe their organisation’s cyber resilience meets minimum operational requirements, 64% acknowledge an inadequate understanding of supply-chain cyber vulnerabilities.
Furthermore, 60% of executives agree that cyber and privacy regulations effectively reduce risks within their organization’s ecosystem, marking a 21% increase since 2022.
WEF interviewed 120 executives at its Annual Meeting on Cybersecurity, and a growing number agree that increasing regulatory obligations are effective in addressing cyber risks.
29% of Security Breaches Have Third-Party Attack Vectors
According to the Global Third-Party Cybersecurity Breaches Report, at least 29% of security breaches have third-party attack vectors.
This kind of interdependence should motivate the most cyber-resilient organisations to proactively assist others within their ecosystem in achieving a stronger cyber posture.
Further data from the Security Scorecard, Cyentia Institute and VPN provider Surfshark, discovered that:
Prevalence: A staggering 98% of organisations are connected to at least one, third-party that has experienced a breach in the past two years.
Impact: At least 29% of all data breaches involve third-party attack vectors.
Cost: The average cost of a data breach reached an all-time high of $4.88 million in 2024, with third-party breaches contributing significantly to this figure. The brand reputation and trust implications of breaches have substantial stakeholder implications.
Costs are far-reaching including customer compensation, legal, regulatory fines and shareholder impacts.
Detection and Response: It takes organisations an average of 204 days to identify a data breach and 73 days to contain it. This is because customers struggle to define and visualise their supply chain.
Despite owning, on average, 83 security tools, they often have limited visibility and fragmented ownership with hidden dependencies, which are operated to inconsistent service standards.
Human Element: 74% of all breaches include the human element, such as employee errors or misuse.
Third-Party Examples: Salt Typhoon & Marriott
Salt Typhoon
The implications of human error are evident in the recent Salt Typhoon service provider breaches that occurred from October 2024, impacting at least nine U.S. telecom companies and internet service providers, as well as dozens of others around the world.
Cisco revealed that the Salt Typhoon hacking group mainly used stolen credentials from victims. In one case, they even exploited a known vulnerability in Cisco’s software that had been around for seven years.
The US government has confirmed the attacks, and whilst the full impact of the hack is not fully known, the root cause is in part acknowledged as a Cisco router flaw that has been publicly listed in the National Institute for Standards and Technology’s vulnerability database for seven years. Despite Cisco releasing a fix in 2018, unpatched systems are still vulnerable, highlighting that service providers are no less inclined to experience the implications of human-centred processes when trying to achieve compliant service delivery.
This recent incident underscores the need for clear operational service obligations that are commercially binding with service providers. The communications sector has frequently been targeted, both for its role in supporting other sectors and for the valuable systems and data it contains.
Marriott
The US Federal Trade Commission (FTC) charged Marriott and Starwood after data breaches affected approximately 344 million customers globally.
The FTC claimed the hospitality operator misrepresented its data security measures and personal information handling protocols. Security deficiencies across internal and third party controls, led to three significant data breaches, exposing extensive personal information, including passport details, payment card data, and loyalty program numbers.
To resolve these allegations, Marriott and Starwood must establish an extensive cybersecurity program. This includes designating a program leader, providing consistent governance updates, and systematically documenting and monitoring the program’s progress.
The directive also mandates regular staff training on protecting sensitive information, implementing multi-factor authentication for remote access, and enhancing safeguards around customer data storage. Additionally, thorough vendor assessment and oversight are required to ensure third-party compliance with internal standards.
Which Third-Party Providers Are Most At Risk?
Some key statistics on third-party security breaches worldwide from Security Scorecard, Cyentia Institute:
Healthcare and financial services industries experienced the highest volume of third-party breaches. In healthcare, there were several high-profile hacks in 2024 that had implications ranging from organisations pushed into receivership to pending class actions.
Third-party breaches in healthcare and financial services constituted the largest and second-largest shares of third-party breaches.
Third-party breaches in the technology and telecommunications vertical were a smaller share of third-party breaches.
This sector had the highest rate (43%) of third-party breaches. Most of these breaches (76%) involved software or technology products and services. The remaining 25% of third-party breaches involved non-technical products or services.
Government entities are prime targets due to the critical and sensitive information they handle. A significant percentage of breaches in this sector involve third-party vendors.
Banks and financial institutions are attractive targets for cybercriminals due to the potential financial gain. For instance, Bank of America recently experienced a breach through a third-party provider.
Educational institutions often have less stringent cybersecurity measures, making them easy targets for attackers.
The retail sector is frequently targeted due to the high transaction volume and customer data processing.
Energy and utilities are critical for national infrastructure, making it a high-value target for cyberattacks.
These industries need to focus on strong cybersecurity and managing third-party risks to reduce the chances of breaches.
B2B relationships that enabled third-party breaches were divided into 22 different categories.
The most significant finding was that three-quarters (75%) of these relationships were technical in nature, involving the provision of software or other information technology (IT) products and services. The remaining 25% of third-party breaches were caused by a variety of non-technical relationships.
Why is Managing Third-Party Supplier Compliance So Hard?
Managing third-party supplier compliance can be challenging for several reasons:
1. Diverse Standards: Different suppliers may follow various compliance standards, making it difficult to ensure uniformity across all third-parties. Customers often operate to different compliance standards than their service providers operate to.
2. Complex Supply Chains: Modern supply chains can be extensive and complex, involving multiple layers of suppliers, each with their own compliance requirements. Operational accountabilities are not clearly documented or visualised.
3. Lack of Visibility: Organisations often have limited visibility into the internal processes and controls of their suppliers, making it hard to assess compliance accurately. Monitoring tools are rarely configured to report on standards and compliance.
4. Dynamic Regulations: Compliance requirements can change frequently, and keeping up with these changes across all third parties can be overwhelming. Technical teams are not experts in GRC or procurement, and there is often a lack of shared understanding between these groups.
5. Resource Constraints: Ensuring compliance requires significant resources, including time, money, and expertise, which may be limited. Compliance is risks being seen as a cost of doing business and may be treated as a tick-and-flick process with dramatic consequences.
6. Data Security: Protecting sensitive data shared with third parties adds another layer of complexity, as it requires robust security measures and constant monitoring. Many organisations are not mature in their processes to deliver to heightened compliance standards.
7. Communication Gaps: Effective communication between the organisation and its suppliers is crucial but can be hindered by differences in language, culture, and business practices. Layers of accountability are not easily visualised using traditional monitoring approaches.
How Can I Make It Easier?
Since 2015, Ikara has been helping customers simplify their compliance and governance needs by transforming them into policy-driven visualisations of performance, security, and contract obligations with third-party suppliers. Here’s what we have learned along the way about third-party risk management and making it integral to your security program and vendor selection processes.
Making third-party supplier compliance easier involves several strategies:
1. Define Clear Standards: Establish and communicate clear compliance standards that your suppliers must meet. This sets expectations from the start. Being specific with suppliers about what measures will be monitored, from what platforms, linked to each performance clause in the contract.
2. Use Technology: Implement third-party risk management software to automate and streamline compliance processes. Tools like Ikara can help manage and monitor supplier compliance effectively.
3. Conduct Thorough Onboarding: Perform comprehensive due diligence during the supplier onboarding process to ensure they meet your compliance requirements from the beginning. Ask them to show you why they know they are operationally compliant in service delivery before you agree to do business.
4. Transition Point-in-Time Audits to Always on Assessments: Moving from point-in-time audits to continuously monitored supplier compliance drives different behaviours. What gets monitored gets managed and the immediacy of insights allows teams to address any issues more promptly whilst building an accountable culture.
5. Foster Open Communication: Maintain open lines of communication with your suppliers to address compliance issues quickly and collaboratively. Visualising KPI and SLA compliance removes nasty surprises, reduces blame dynamics and improves team cohesion.
6. Training and Awareness: Provide training and resources to both your team and suppliers to ensure everyone understands the compliance requirements and their importance. Visualising the elements in supplier contracts versus elements in your teams’ control is essential in creating a shared vision.
7. Stay Updated on Regulations: Keep up with changing regulations and update your compliance standards accordingly to ensure ongoing adherence. Establishing relationships with suppliers who can provide support for new standards during a period of contracted service delivery is a foundation for preserving adaptability and risk management.
By implementing these strategies, you can simplify the process of managing third-party supplier compliance and reduce associated risks.
Lower your risk, increase service delivery velocity, and improve productivity, profitability and customer trust.
References
World Economic Forum – Cybersecurity Outlook
98% of Customers have a relationship with suppliers that have been breached: SecurityScorecard Third-Party Breach Report Reveals Software Supply Chain as Top Target for Ransomware Groups – SecurityScorecard
US Congress acknowledges Salt Typhoon attack on service providers
IF12798
Cisco released a patch in 2018, but unpatched systems expose details
Salt Typhoon hackers exploited stolen credentials and a 7-year-old software flaw in Cisco systems – Nextgov/FCW
Customers operat,e on average 83 security tools from 29 vendors
IBM and Palo Alto Networks Find Platformization is Key to Reduce Cybersecurity Complexity
Auditor General Third Party and Cyber Obligations
Mandatory Requirements | Digital NSW
D1828570 Third Party Security Policy
APRA CPS230 Obligations
CPS 230 Operational Risk Management | Prudential Handbook
Court Orders Marriot to Improve Security and Third-Party Management
Marriott data breach FAQ: How did it happen and what was the impact? | CSO Online