According to SecurityScorecard’s new Energy Sector Third-Party Cyber Risk Report, almost 90% of the world’s 48 biggest energy companies have suffered a supply chain data breach in the past 12 months, and of the 2000-plus third-party vendors surveyed, only 4% experienced breaches themselves.
The report highlights the risks of so-called “fourth-party” breaches where breaches occur at suppliers of suppliers. 100% of US and UK companies experienced a fourth-party breach in the past year, and 92% globally.
Notably, the UK energy firms were given the highest average security rating, with 80% holding a B or above. Overall, a third of global firms had a C rating or below.
“Preventing the surge of supply chain attacks requires systematically applying real time data triggering automated workflow to manage risk in the digital ecosystem,” argued chairman of the SecurityScorecard Cybersecurity Advisory Board, Jim Routh.
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“In the context of avoiding, reducing, transferring, and/or accepting risk, it’s clear that the global energy sector must do more to manage their expansive cyber risk landscape. Seeing that a third-party or even fourth-party breach could impact the entire sector, the transfer of risk to upstream or downstream partners will no longer be acceptable.
“We predict that the global energy sector (and other sectors too) will no longer accept some other party’s risk, and as a result, the sector will launch some sort of Global Supply Chain Cyber Risk Management Program. This program will likely include mandatory and continuous self-assessments to ensure one entity is not transferring their cyber risk to other adjacent entities.
“These self-assessments will not be the once-per-year penetration test or some sort of periodic vulnerability scan. Instead, these self-assessment requirements will demand that entities use both manual and autonomous assessment techniques and technologies that mimic attacker TTPs. In other words, organizations will be forced to attack themselves regularly just like any other attacker would to prove they can fend off an attack and not transfer their risk elsewhere.
“These red team, adversarial-like assessment exercises will be used by organizations to discover their truly exploitable weakness and help them rapidly remediate them so they can prove their own risks are not being transferred to their various partners. Organizations will need to provide assessment reports on-demand to their adjacent partners, track improvement over time, and attest to the fact that they are not vulnerable to the latest known exploitable vulnerabilities the energy sector may be subject to.
Craig Harber, Security Evangelist, Open Systems follows with this:
“Third-party suppliers are critical to the operation of most modern businesses. Their systems are interconnected to form a trust relationship to prevent supply chain attacks, data breaches, and reputation damage. Unfortunately, the resulting ecosystem of connected companies has become a favored attack path for attackers to gain access to larger companies that tend to have larger budgets and more resources to invest in cybersecurity. So, it is not surprising that when extended to include fourth-party suppliers with even smaller cyber budgets, that 100% of the companies surveyed reported they had experienced a breach in the past year. The confirmation of the almost universal experience of third- and fourth-party supply breaches highlights the importance of implementing third- and fourth-party risk management to help mitigate undue risks and costs associated with this very real cyber risk.”
The fact that so many companies in this sector are victim to 3rd and 4th party breaches is a #Fail of epic proportions. Companies in this sector need and must do better to make sure that they don’t get pwned because they don’t hold their suppliers to account.
Like this:
Like Loading...
Related
This entry was posted on December 8, 2023 at 8:19 am and is filed under Commentary with tags SecurityScorecard. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
90%+ Of Energy Companies Have Experienced 3rd And 4th-Party Breaches
According to SecurityScorecard’s new Energy Sector Third-Party Cyber Risk Report, almost 90% of the world’s 48 biggest energy companies have suffered a supply chain data breach in the past 12 months, and of the 2000-plus third-party vendors surveyed, only 4% experienced breaches themselves.
The report highlights the risks of so-called “fourth-party” breaches where breaches occur at suppliers of suppliers. 100% of US and UK companies experienced a fourth-party breach in the past year, and 92% globally.
Notably, the UK energy firms were given the highest average security rating, with 80% holding a B or above. Overall, a third of global firms had a C rating or below.
“Preventing the surge of supply chain attacks requires systematically applying real time data triggering automated workflow to manage risk in the digital ecosystem,” argued chairman of the SecurityScorecard Cybersecurity Advisory Board, Jim Routh.
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“In the context of avoiding, reducing, transferring, and/or accepting risk, it’s clear that the global energy sector must do more to manage their expansive cyber risk landscape. Seeing that a third-party or even fourth-party breach could impact the entire sector, the transfer of risk to upstream or downstream partners will no longer be acceptable.
“We predict that the global energy sector (and other sectors too) will no longer accept some other party’s risk, and as a result, the sector will launch some sort of Global Supply Chain Cyber Risk Management Program. This program will likely include mandatory and continuous self-assessments to ensure one entity is not transferring their cyber risk to other adjacent entities.
“These self-assessments will not be the once-per-year penetration test or some sort of periodic vulnerability scan. Instead, these self-assessment requirements will demand that entities use both manual and autonomous assessment techniques and technologies that mimic attacker TTPs. In other words, organizations will be forced to attack themselves regularly just like any other attacker would to prove they can fend off an attack and not transfer their risk elsewhere.
“These red team, adversarial-like assessment exercises will be used by organizations to discover their truly exploitable weakness and help them rapidly remediate them so they can prove their own risks are not being transferred to their various partners. Organizations will need to provide assessment reports on-demand to their adjacent partners, track improvement over time, and attest to the fact that they are not vulnerable to the latest known exploitable vulnerabilities the energy sector may be subject to.
Craig Harber, Security Evangelist, Open Systems follows with this:
“Third-party suppliers are critical to the operation of most modern businesses. Their systems are interconnected to form a trust relationship to prevent supply chain attacks, data breaches, and reputation damage. Unfortunately, the resulting ecosystem of connected companies has become a favored attack path for attackers to gain access to larger companies that tend to have larger budgets and more resources to invest in cybersecurity. So, it is not surprising that when extended to include fourth-party suppliers with even smaller cyber budgets, that 100% of the companies surveyed reported they had experienced a breach in the past year. The confirmation of the almost universal experience of third- and fourth-party supply breaches highlights the importance of implementing third- and fourth-party risk management to help mitigate undue risks and costs associated with this very real cyber risk.”
The fact that so many companies in this sector are victim to 3rd and 4th party breaches is a #Fail of epic proportions. Companies in this sector need and must do better to make sure that they don’t get pwned because they don’t hold their suppliers to account.
Share this:
Like this:
Related
This entry was posted on December 8, 2023 at 8:19 am and is filed under Commentary with tags SecurityScorecard. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.