SecurityScorecard today released new research revealing that 90% of the world’s leading energy companies experienced a third-party data breach in the past 12 months. The research highlights how the energy industry faces a significant threat from third-party risks, where attackers target an organization’s vendor ecosystem.
Using AI-powered data breach intelligence and elite threat researchers, SecurityScorecard actively identifies, measures, and manages risk of emerging threats across the supply chain. Key findings from this research include:
- 90% of the largest global energy companies had a third-party breach in the past 12 months.
- 100% of the top 10 U.S. energy companies experienced a third-party breach.
- 92% of the energy companies evaluated have been exposed to a fourth-party breach.
- 33% of energy companies had a C Security Rating or below, indicating higher likelihood of breach.
- In the last 90 days, SecurityScorecard identified 264 breach incidents related to third-party compromises.
- MOVEit was the most prevalent third-party vulnerability in the last six months, with hundreds of companies impacted around the world.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, SecurityScorecard, said: “More than two years after the major U.S. pipeline ransomware incident, the world still lacks a common framework for measuring cyber risk. Transparency and information sharing about cybersecurity is critical for national security.”
SecurityScorecard analyzed more than 2,000 third-party vendors and discovered that only 4% of them had experienced breaches themselves. However, a striking 90% of the evaluated companies suffered from third-party breaches. When attackers successfully compromise a widely-used software, they can potentially access all organizations that rely on that software.
Majority underestimate cyberattacks on third-party ecosystem
As cited by the new SEC cyber incident disclosure requirements, SecurityScorecard research found that 98% of organizations use at least one third-party vendor that has experienced a breach in the last two years.
Jim Routh, Fortune 500 CISO and Senior Advisor and Chairman, SecurityScorecard Cybersecurity Advisory Board, added: “Hope and prayer may be useful but are clearly not sustainable strategies. Preventing the surge of supply chain attacks requires systematically applying real time data triggering automated workflow to manage risk in the digital ecosystem.”
Methodology
SecurityScorecard analyzed the cybersecurity profiles of the 48 largest energy companies in the United States, United Kingdom, France, Germany, and Italy. These companies included the coal, oil, natural gas, and electricity sectors. In total, SecurityScorecard examined over 21,000 domains, and analysis included both their third-party and fourth-party vendors The top 48 companies were ranked by current revenue.
Additional resources
- 2023 SecurityScorecard Energy Sector Third-Party Cyber Risk Report
- Rate the security posture of any vendor on demand
Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!
