Nearly All Firms Have Ties With Breached Third Parties

The average organization does business with 11 third parties, and 98% of organizations do business with a third party who has suffered a breach, an analysis finds.

1 Min Read
cybersecurity incident
Alamy

Nearly every company does business with — or uses the products of — a third party that has suffered a compromise, thus increasing their security risks.

That's according to data science firm Cyentia Institute, which has issued an analysis that includes external measurements of security from more than 230,000 organizations provided by cybersecurity risk-management firm SecurityScorecard. It found that the average firm had around 10 third-party relationships, and hundreds of indirect fourth-party relationships, with the typical firm having 60 to 90 times more fourth parties than third parties. Nearly all firms (98%) had at least one third-party partner who had suffered a breach, the report stated.

The IT sector has the most third parties, with an average of 25, while the finance sector had the fewest, at 6.5. Those numbers quickly balloon when fourth-party relationships are included, as did their risk. The average firm has an indirect relationship with 200 fourth parties that have had a breach, the analysis found.

The research underscores the sprawling nature of third- and fourth-party relationships for corporations, and the dramatic increase in risk that they can cause, says Wade Baker, founder and partner at the Cyentia Institute.

"Risk goes downhill," he says. "The first parties are more likely to have good security [risk] scores than their third parties, and with fourth parties, the numbers really explode. You need to expect [these firms and products] to not be up to your standards for security."

Related:Third-Party Attacks on the Rise as Organizations Struggle with Security

That's because while many organizations have become more mature regarding their own cyber risks, few are cognizant of the extended risks, Cyentia and SecurityScorecard stated in the analysis.

Continue reading this article on Dark Reading

Read more about:

Dark Reading

About the Authors

Robert Lemos

Dark Reading, Contributing writer

Robert Lemos is a veteran technology journalist and a former research engineer. He's written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science and Wired News. He has won five awards for journalism and crunches numbers on various trends using Python and R. 

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like