Vendors hit by a cyberattack saw nearly five of their third-party suppliers also compromised per incident in 2022, double the 2.5 entities per vendor in 2021, according to a new study by Black Kite, a cyber risk intelligence company.
In its Third-Party Breach Report, the Boston-based firm called the breach impact and damage “catastrophic,” in its analysis of 63 third-party breaches and nearly 300 publicly disclosed victims. The study’s results should put organizations on “heightened risk in 2023,” Black Kite said.
Managed security service providers (MSSPs) should heed the study’s findings by assessing and shoring up their cyber defenses. This was never more evident than in the SolarWinds attack of 2020 and the Kaseya assault of 2021 that expanded the attack surface to managed service providers (MSPs).
More Findings From the Report
The report’s key findings include:
- Technical services vendors (providing infrastructure services) were the top target of third-party breaches. In the top three for a fourth consecutive year, these vendors were included in 30% of incidents.
- The healthcare industry was the most common victim of third-party breaches accounting for 34% of incidents 2022 – an increase from 2021 – followed by finance (14%) and government (14%).
- Unauthorized network access was the most common root cause of third-party attacks, initiating 40% of the third-party breaches last year. The rise is partially due to the remote work model that has become prevalent with the pandemic.
- Ransomware accounted for 27% of third-party breaches in 2022, a decrease from 2021 due to Russian sanctions, which hinder the ability of Russian-based cybercriminals to act.
- The average time between an attack and the disclosure date was 108 days, with a 50% increase from 2021 and giving threat actors more time to cause significant damage with stolen data.
Commenting on the survey results, Jeffrey Wheatman, Black Kite cyber risk evangelist, said:
“Global business ecosystems continue to get more complex, with every organization increasingly impacted by the cybersecurity posture of their partners, and their partners' partners, and so on. The reality is your attack surface is much bigger than the stuff you can control. But the good news is, you can assess and monitor your extended ecosystem to spot vulnerabilities, take action and avoid catastrophe.”