The 2022 Verizon Data Breach Investigations Report contains a veritable treasure trove of data analyzing more than 23,896 security incidents and 5,212 breaches for the time period between November 1, 2020 and October 31, 2021. However, some disturbing trends in the data should alert security, risk, and vendor management teams to better prepare for future incidents. Here are the key third-party risk management takeaways from the report.
Every organization relies on third parties to some degree – whether vendors providing goods or services to support the business or suppliers producing inputs for final products. The Verizon data shows that partners (e.g., third parties, vendors, or suppliers) accounted for 62% of system intrusion incidents in the last year (see Figure 36 from the report). When you consider that partners were involved in just 39% of data breaches in 2008, you’ll quickly see the astonishing growth over time of third parties involved in security incidents. For every third party you do business with, your attack surface expands exponentially.
Software supply chain attacks (via software updates) are driving much of the growth in partner-led intrusions, with these types of incidents accounting for 9% of total incidents in 2021. A single compromised software provider pushing updates out to thousands of its customers (that, in turn, might work with thousands of vendors, suppliers and other third partiers – i.e., secondary victims) can wreak untold havoc (read: SolarWinds).
Although the dataset showed that third-party breaches represent just 1% of breach data, Verizon notes that in that method, stolen credentials and ransomware were two of the top five action varieties. This means third-party risk practitioners should be actively ensuring that their third-party vendors and suppliers have strong password policies and network segmentation architectures in place – and be able to independently validate those practices.
(Source: Verizon Data Breach Investigations Report, May 2022)
From an industry perspective, partners represent 1% of threat actors in Manufacturing. While 1% might not seem like a high number, consider the damage caused by a single system intrusion event such as the ransomware attack on Toyota supplier Kojima industries. Although outside the window of this dataset, such a breach should serve as a reminder that one incident can have wide and long-lasting impacts. In fact, the Verizon data shows that the Manufacturing industry as a whole is a growing target – with system intrusions growing exponentially. See Figure 92 from the report.
(Source: Verizon Data Breach Investigations Report, May 2022)
Continuing the ransomware theme, ransomware breaches increased 13% over 2020, which according to Verizon was a greater year-over-year increase than the past five years combined. See Figure 38 from the report below.
The increase in incidents and breaches shouldn’t come as a surprise; you only have to read the headlines to learn of the latest victim. The last year has featured significant third-party ransomware breaches including PracticeMax, Kaseya, and Colonial Pipeline – many of them variants of the Ryuk ransomware.
(Source: Verizon Data Breach Investigations Report, May 2022)
With increasing numbers of third-party breaches and ransomware attacks organizations using manual methods to manage third-party vendor and supplier risks should consider implementing the following best practices to speed identification, triage and mitigation.
As vendor data breaches and supply chain disruptions continue to make headlines, it’s easy to become overwhelmed by the demands of assessing risk across hundreds (or even thousands) of third parties.
To help your team be more proactive in identifying and mitigating third-party security incidents, Prevalent has developed an incident response checklist based on the NIST Computer Security Incident Handling Guide, SP 800-61. The checklist prescribes four foundational phases that security teams should consider for their incident response programs. Use this checklist, along with the complete NIST guidance, to compare your existing third-party incident response processes against best practices.
Then, request a Prevalent demo for a customized strategy discussion on how to automate your TPRM program from vendor selection to offboarding.
Read the findings from our annual TPRM study and implement these best practices to put out...
05/08/2024
Prevalent believes it is differentiated by delivering comprehensive coverage of multiple risk types and by delivering...
12/12/2023
Leading industry analyst firm recognizes Prevalent for sophisticated Vendor Risk Management offerings.
11/06/2023