Data breaches beyond numbers: a third-party cyber risk management perspective
The 2024 Data Breach Investigations Report from Verizon is now available for download. As always, the DBIR provides an excellent overview of the current security landscape — an exploration into how breaches emerge in the real world, and what they mean for businesses of all sizes and industries.
One of the key changes this year is in the scope of what can be defined as a breach involving a third-party. This time, it “includes partner infrastructure being affected and direct or indirect software supply chain issues including when an organization is affected by vulnerabilities in third-party software.”
By this revised definition, called “supply chain interconnection,” 15% of all breaches this year involve a third-party, a 68% increase from last year that is attributed to ransomware and extortion attacks leveraging zero-day exploits.
As our focus here at Tenchi is third-party cyber risk management, we’d like to share some thoughts on the report — particularly regarding this figure — as well as other statistics that can provide additional context.
One error, many consequences
A single security failure at a third-party can bring about a cascading impact on several companies or entire ecosystems.
Even if not entirely surprising, it’s still worrying that one incident alone deeply impacted many of the numbers in the 2024 DBIR: the MOVEit Transfer vulnerability exploited by the Cl0p ransomware threat actor. The team at Verizon only managed to identify 1,567 breach notifications related to MOVEit, but did note that CISA stated that Cl0p compromised over 8,000 global organizations, so the weight of this incident chain could be even higher.
Based on the numbers DBIR worked with, this single attack vector could have been responsible for around half of all incidents in the education sector, and 8% of all incidents in the financial sector, which were the two most impacted by the MOVEit problem. Overall, it’s difficult to overstate the impact the MOVEit Transfer saga had on the ransomware and extortion figures for the entire year.
This also means that, if you are in education, the number of third-party breaches this year was a stunning three times the average.
Looking outside the numbers for a moment, we can find instances of organizations that had multiple vendors breached by MOVEit, especially in the education field. This situation creates a new set of challenges for risk management strategies that would rely on redundancy for added availability or confidentiality.
Securing your supply chain with multiple vendors isn’t a solution when several of them can be hit at the same time, which unfortunately, is very likely. Companies that provide similar services or operate in the same industry often use the same vendors themselves… or even the same software! For the education sector in the United States, that software was MOVEit.
We cannot predict what the next target will be, so the risk isn’t that the education sector will be severely hit again. The risk is that different vendors that have a similar role in other industries will be next, and we should be prepared for that as best as we can.
Are incidents at third parties more serious?
Some studies try to calculate the cost of breaches, but that can be very difficult and imprecise. There are several challenges, including the fact that not every research paper or survey uses the same definitions. As we’ve just seen with DBIR, even the scope of what is a “third-party” or “supply chain” event is still evolving.
In 2021, Kaspersky released a study stating that third-party incidents had become the most costly enterprise data breaches for that year. Still, we think it’s best to look at multiple sources when making a claim this bold.
Early this year, the Identity Theft Resource Center (ITRC) published a report with data on cyberattacks and the volume of personal information leaked.
Out of 3,205 data compromises, the ITRC identified 242 supply chain attacks affecting 2,727 entities and 54,282,305 victims. On average, that is 11.2 entities and 224,307 victims per attack, higher than the overall average of 110.149 victims per incident.
This does indeed suggest that supply chain and third-party attacks usually affect more personal data than other types of incidents.
The World Economic Forum Global Cybersecurity Outlook 2024 report states that 41% of organizations that suffered a material impact from said that a third-party caused it. It appears, then, that third parties are disproportionately represented in this share of incidents that led to material impacts.
Other findings of the WEF survey help explain why. For instance, 54% of organizations believe they do not have sufficient visibility over the vulnerabilities of their supply chain.
One reason for the lack of visibility is that people simply don’t ask: 51% of leaders said that their supply-chain partners had not asked them for proof of their cybersecurity posture.
Although this figure is better for larger organizations, where 71% were asked for proof of their cybersecurity posture, the quality and the timeliness of what is being asked aren’t always helpful. A survey we carried out at one of the Tenchi Conference, showed many organizations that rely on questionnaires and audits, which are the most common methods of vendor assessments, don’t repeat them more than once a year (we will explore this survey further some other time, so stay tuned).
With DBIR showing both that credential security is still an issue and a 180% increase in the exploitation of vulnerabilities — most of which wouldn’t have existed at the time of the vendor assessment — we should look for solutions that work at the speed of our connections in the modern world.
Where do we go from here?
A lot is happening today in third-party cyber risk management. The concept of “supply chain interconnection” proposed by the team at Verizon is yet another step forward in spreading awareness of the issue.
Still, for those affected by third-party breaches, the problems may be worse than the numbers alone would suggest.
But vendors and suppliers aren’t our enemies — quite the opposite. They’re partners, and that’s one of the keys to solving this problem. We can work together and do things that attackers can’t, such as looking at security infrastructure from within. We shouldn’t waste that advantage by only assessing our vendors externally as an attacker would.
We need to leverage our partnerships, automation, policy, and technology to build and implement more effective solutions and safer ways to share data.