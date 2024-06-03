Of the 100 organisations listed on the Financial Times Stock Exchange (FTSE) 100 list of Britain’s most highly capitalised firms, 97 were exposed to a third-party supply chain data breach incident between March 2023 and March 2024, according to data published by SecurityScorecard ahead of the annual Infosec Europe fair.

The findings, which come as supply chain attacks continue to dominate cyber security discussions – particularly in regard to the safety of critical national infrastructure (CNI) – reveal the scale of the problem facing all organisations, not just prominent ones.

SecurityScorecard said the FTSE 100 had done well at protecting their own front doors – only 12% of the listed organisations reported a breach themselves last year – with the result that adversaries must seek other ways to get in, which usually means through the systems of third-party suppliers of technology or other services.

The firm said it wanted to highlight that a company’s cyber security strength is directly linked to the strength of even its smallest supplier, warning that using such firms as an unwitting Trojan Horse was much easier than directly compromising a well-known organisation with multiple layers of controls and a fully-fledged security operations centre (SOC).

“Third-party risk management is a key component of any robust cyber security programme, and the companies represented in this report would benefit by making it a priority,” said Will Gray, SecurityScorecard’s director of Northern Europe.

“The sectors and organisations in the UK, and in Europe as a whole, need to do more now if they are going to be ready for the implementation of DORA [Digital Operational Resilience Act] by January 2025, as well as the NIS2 Directive.

“The rise of data breaches across Europe demonstrates that UK companies still need to make third-party risk management [TPRM] an integral component of not only their security programme but of their vendor selection process as well,” added Gray.