Using the world’s largest proprietary risk and threat intelligence dataset, SecurityScorecard, the cybersecurity analyser, studied cybersecurity breaches across the UK’s 100 largest companies by market capitalisation, releasing a comprehensive analysis of the landscape of the FTSE 100 in the UK.
Fraudsters are having to adapt to new cybersecurity measures as a result of greater cyber protection of primary avenues. Firewalls, stronger passwords and multi-factor identification are just a few ways businesses are protecting their ‘front doors’. However, they remain susceptible to attacks through third-party vendors’ systems reveals SecurityScorecard.
In fact, 97 per cent of the UK’s largest firms have had a breach in their third-party ecosystem. German (94 per cent) and Italian (95 per cent) companies have had less breaches. However, 98 per cent of French companies have had a breach.
Adversaries increasingly target smaller vendors to bypass robust and well-funded cybersecurity programmes. Using an organisation as an unwitting Trojan Horse is far easier than directly compromising a major company with a fully staffed Security Operations Center and several layers of security controls.
Better third-party risk management is needed
The new research highlights the direct connection between a company’s cybersecurity strength and the security measures of its smallest vendors. Globally, companies are increasing oversight of suppliers after major supply-chain cyber attacks have affected thousands of businesses and breached data on millions of customers.
Will Gray, director of Northern Europe for SecurityScorecard said: “Third-party risk management is a key component of any robust cybersecurity program, and the companies represented in this report would benefit by making it a priority. The sectors and organisations in the UK (and in Europe as a whole) need to do more now if they are going to be ready for the implementation of DORA [Digital Operational Resilience Act] by January 2025, as well as the NIS2 directive.
“The rise of data breaches across Europe demonstrates that UK companies still need to make third-party risk management (TPRM) an integral component of not only their security program but of their vendor selection process as well.
“SecurityScorecard can help with this effort by providing ratings to evaluate prospective vendors and monitor existing vendors to hold them accountable.”
Which sectors are standing up against third-party breaches?
Only 12 per cent and 16 per cent respectively of the companies in the energy and basic materials (mining and raw materials) sectors had third-party breaches. None of them received a C rating or below. Meanwhile, the financial sector is the second strongest in the UK. Only five per cent of companies receive a C rating or below. The communications sector had the lowest overall security posture, with 70 per cent having a C rating or below.
How does the UK compare to its neighbours?
The research found companies in the UK have the strongest overall cybersecurity (24 per cent with a C or below) compared to their French, Italian, and German counterparts, with 40 per cent, 41 per cent, and 34 per cent having a C or below, respectively. Eighty-five per cent of UK companies with an A grade have not been breached in the last year (demonstrating the importance of having an A grade), compared to 87 per cent, 100 per cent and 95 per cent in France, Italy and Germany respectively.
The 25 companies in the UK with the highest market capitalisation (over $29billion) have a stronger cybersecurity posture (12 per cent with C rating or below). The 75 firms with lower market capitalisation ($5-28billion) had an average of 28 per cent with a C rating or below.
Ninety-seven per cent had a breach in their fourth-party ecosystem by comparison to 95 per cent of German companies; 100 per cent of French companies; and 97 per cent of Italian companies. A vendor experiencing a third- or fourth-party compromise could affect a large number of its customers, or even customers of its customers, in one fell swoop. The MOVEit exploit was discovered in the spring of 2023. Organisations are still addressing the repercussions of the breach, with projected costs exceeding $65billion.
Twelve per cent experienced a direct breach in the last year compared to eight per cent of German companies; seven per cent of French companies; and three per cent of Italian companies. All companies should prioritise improving application and network security. These two aspects are fundamental to safeguarding against a wide range of cyber threats. Any company—regardless of size, industry, value, or revenue—can be a target for cybercriminals if it doesn’t have strong cyber defences.
A new era of cyber risk management
Just as credit ratings provide a clear and standardised measure of financial credibility, cyber risk ratings can offer a similar benchmark for cybersecurity resilience. The availability of objective data on cybersecurity resilience gives business and government leaders a new language for cyber risk management that permits them to be relentlessly data-driven.
