Almost all (90%) of the world’s 48 biggest energy companies have suffered a supply chain data breach in the past 12 months, according to new data from SecurityScorecard.
The security resilience vendor analyzed the cybersecurity posture of the largest coal, oil, natural gas and electricity companies in the US, UK, France, Germany and Italy, as well as their suppliers – covering 21,000 domains.
Its resulting Energy Sector Third-Party Cyber Risk Report identified 264 breach incidents related to third-party compromises in the past 90 days alone.
Some countries fared better than others. All (100%) of the top 10 US energy companies experienced a third-party breach in the past year.
UK energy firms were given the highest average security rating, with 80% holding a B or above. Overall, a third of global firms had a C rating or below, indicating a higher likelihood of breach.
Interestingly, of the 2000+ third-party vendors analyzed for the report, just 4% experienced breaches themselves. Yet this small percentage had an outsized impact on their clients’ security posture.
Unsurprisingly, MOVEit was the most prevalent third-party vulnerability of the past six months.
The report also highlighted the dangers of so-called “fourth-party” breaches – that is, breaches at suppliers of suppliers. All US and UK companies experienced a fourth-party breach in the past year, and 92% of global energy firms have been exposed to such incidents.
The risk of supplier breaches is increasingly important to understand and manage in light of new SEC breach reporting guidelines. The regulator has stated that supplier risk is a “material” business risk and that listed firms must share their policies and procedures to “oversee, identify and mitigate” third-party cyber-risk.
“Hope and prayer may be useful but are clearly not sustainable strategies,” argued former Fortune 500 CISO and chairman of the SecurityScorecard Cybersecurity Advisory Board, Jim Routh.
“Preventing the surge of supply chain attacks requires systematically applying real time data triggering automated workflow to manage risk in the digital ecosystem.”