2024 SecurityScorecard Research: Adversaries Exploit Third-Party Vulnerabilities to Maximize the Stealth, Speed, and Impact of Ransomware Attacks

(Graphic: Business Wire)

SAN FRANCISCO--()--SecurityScorecard today announced findings from its 2024 Redefining Resilience: Concentrated Cyber Risk in a Global Economy Research, with McKinsey & Company as a knowledge partner. The threat research uncovers an extreme concentration of cyber risk in just 15 vendors, posing serious threats to national security and global economies. The research also details a surge in adversaries exploiting third-party vulnerabilities to maximize the stealth, speed, and impact of supply chain cyberattacks.

Dr. Aleksandr Yampolskiy, CEO and Co-Founder, SecurityScorecard, stated: “Much like a precarious house perched on a cliff's edge, the reliance on a handful of vendors shapes the foundation of our global economy. The question to ask is: ‘Have we concentrated a mission-critical service to a single vendor — creating a single point of failure?’”

Third-party vulnerabilities spread like a digital forest fire

Threat researchers used the SecurityScorecard platform to identify the supply chain cyber risk across approximately 12 million organizations. Key findings include:

  • 150 companies account for 90% of the technology products and services across the global attack surface.
  • 41% of those companies had evidence of at least one compromised device in the past year.
  • 11% had evidence of a ransomware infection in the past year.
  • 62% of the global external attack surface is concentrated in the products and services of just 15 companies.
  • The top 15 third parties have below-average cybersecurity risk ratings – indicating a higher likelihood of breach.
  • Ransomware operators C10p, LockBit, and BlackCat systematically target third-party vulnerabilities at scale. Within five minutes of connecting an internet-facing device, state-sponsored threat actors will find it.

The sheer scale of these companies amplifies their risk of compromise, posing significant third-party risks to their extensive customer bases. Defending massive attack surfaces presents a formidable challenge, even for the most robust security teams. While these companies must maintain flawless security at all times, attackers need only exploit a single vulnerability within their expansive attack surface.

Take action to protect against third-party risk

According to McKinsey, companies spend hundreds of thousands of dollars per year managing cyber risk within their vendor, and third-party ecosystem and millions on cyber programs, yet their billion-dollar business is only as good as the cybersecurity of their smallest vendor.

Mitigating supply chain cybersecurity requires four key steps:

  1. Identify single points of failure
  2. Continuously monitor the external attack surface
  3. Automatically detect new vendors
  4. Operationalize vendor cybersecurity management

Charlie Lewis, Partner, McKinsey, added: “The interconnected nature of our digital landscape requires a shift in how companies think about their cyber ecosystem risk — it is no longer just about your resilience, you need to consider the broader system and how to build mutual support with peers, competitors, and your vendors.”

Additional resources

About SecurityScorecard

Will AI save or destroy the planet? Visit Booth #6353 Moscone North at RSA to find out.

Funded by world-class investors, including Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings, response, and resilience, with more than 12 million companies continuously rated.

Founded in 2014 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented security ratings technology is used by over 25,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight.

SecurityScorecard makes the world safer by transforming how companies understand, improve, and communicate cybersecurity risks to their boards, employees, and vendors. SecurityScorecard achieved the Federal Risk and Authorization Management Program (FedRAMP) Ready designation, highlighting the company’s robust security standards to protect customer information, and is listed as a free cyber tool and service by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Every organization has the universal right to its trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.


Ashley Nakano


Ashley Nakano