In the past 12 months, a staggering 90% of the world's largest energy companies have fallen victim to third-party breaches, as reported by SecurityScorecard. This concerning trend is particularly alarming given the crucial role the energy sector plays in powering the global economy and sustaining everyday activities. The significance of this sector makes it a prime target for cyber threats, heightening the urgency to fortify its defenses, especially in the face of economic and political uncertainties.
The repercussions of cyberattacks on the energy sector extend beyond mere financial losses and disruptions; they also have far-reaching consequences on manufacturing, healthcare, and transportation. The interconnectedness of these industries underscores the need for a robust cybersecurity framework to safeguard against potential cascading effects.
Examining the landscape of third-party breaches in the energy industry, it is revealed that all of the top 10 US energy companies experienced a breach from external parties. Furthermore, a staggering 92% of evaluated energy companies have been exposed to fourth-party breaches. Alarmingly, 33% of these energy companies had a C Security Rating or below, indicating a higher likelihood of a breach.
In the last 90 days alone, researchers identified 264 breach incidents related to third-party compromises. Among these incidents, MOVEit emerged as the most prevalent third-party vulnerability in the last six months, impacting hundreds of companies globally. Ryan Sherstobitoff, SVP of Threat Research and Intelligence at SecurityScorecard, emphasized the lack of a common framework for measuring cyber risk even two years after the major US pipeline ransomware incident, highlighting the critical need for transparency and information sharing in cybersecurity.
Researchers delved into the vulnerabilities within the energy sector's supply chain security by analyzing over 2,000 third-party vendors. Surprisingly, only 4% of these vendors had experienced breaches themselves. However, a striking 90% of the evaluated energy companies suffered from third-party breaches, exposing a critical vulnerability in the sector's supply chain security. This vulnerability becomes evident when considering that a small number of breaches can potentially cascade into widespread security incidents, particularly when attackers compromise widely-used software.
The report also sheds light on the underestimation of cyber threats to third-party ecosystems. According to the new SEC cyber incident disclosure requirements, a staggering 98% of organizations use at least one third-party vendor that has experienced a breach in the last two years. This underscores the need for a comprehensive approach to managing third-party cyber risks, focusing on efficient resource use, effective risk management, and resilience, all of which contribute to informed business decision-making.
In conclusion, Jim Routh, Fortune 500 CISO and Senior Advisor and Chairman of SecurityScorecard Cybersecurity Advisory Board, emphasized that relying on "hope and prayer" is not a sustainable strategy. To prevent the surge of supply chain attacks, he advocated for the systematic application of real-time data triggering automated workflows to manage risks in the digital ecosystem. This proactive approach is essential for enhancing the security posture of the energy sector and mitigating the potential impact of future cyber threats.
Join us on December 14th at 1pm ET, as we cover this topic in more detail on our CPE accredited webinar: Transforming Third-Party GRC Strategies with Executive Buy-in