Using the world's largest proprietary risk and threat intelligence dataset, Security ScorecardThe cybersecurity analytics company has investigated cybersecurity breaches at the 100 largest UK companies by market capitalisation and released a comprehensive analysis of the current state of the UK FTSE 100.
As cyber protection along key pathways has improved, fraudsters have had to adapt to new cybersecurity measures. Firewalls, strong passwords and multi-factor authentication are just some of the ways businesses can protect their “front door,” but SecurityScorecard reveals they remain vulnerable to attacks via third-party vendor systems.
In fact, 97 percent of large UK companies have experienced a breach in their third-party ecosystem. Breaches are less common in Germany (94 percent) and Italy (95 percent), but 98 percent of French companies have experienced a breach.
Attackers are increasingly targeting smaller vendors to circumvent robust, well-funded cybersecurity programs, and using an organization as an unwitting Trojan horse is much easier than directly infiltrating a large enterprise with a well-staffed security operations center and multiple layers of security controls.
Better Third-Party Risk Management is Needed
The new research highlights a direct link between the strength of a company's cybersecurity and the security practices of its smallest vendors. Globally, companies are stepping up scrutiny of their suppliers after a major supply chain cyberattack affected thousands of companies and compromised the data of millions of customers.
Intention graySecurityScorecard's Director of Northern Europe said: “Third-party risk management is a key element of any strong cybersecurity programme and the companies featured in this report would benefit from prioritising it. Sectors and organisations in the UK (and across Europe) need to do more now to prepare for DORA's implementation.” [Digital Operational Resilience Act] By January 2025, the NIS2 Directive is also due to come into force.
“The rise in data breaches across Europe shows that UK businesses still need to make third-party risk management (TPRM) an integral part of not only their security program but also their vendor selection process.
“SecurityScorecard assists in this effort by providing a rating to evaluate prospective vendors and by monitoring and holding existing vendors accountable.”
Which sectors are standing up against third-party infringement?
Just 12% and 16% of companies in the Energy and Basic Materials (Mining and Raw Materials) sectors respectively suffered a third-party breach. None of these companies received a grade below a C. Meanwhile, the Financial Services sector is the second strongest sector in the UK, with just 5% of companies receiving a grade below a C. The Telecommunications sector had the poorest overall security posture, with 70% receiving a grade below a C.
How does the UK compare to its neighbours?
The survey found that UK companies have the strongest overall cybersecurity (24% rated a C or below), compared to 40%, 41% and 34% of French, Italian and German companies rated a C or below. 85% of A-grade UK companies have not been breached in the past year (demonstrating the importance of an A grade), compared to 87%, 100% and 95% in France, Italy and Germany respectively.
The 25 UK companies with the highest market capitalisation (over $29 billion) have stronger cybersecurity postures (12 percent with a C rating or below). Among the 75 companies with lower market capitalisation ($5 billion to $28 billion), an average of 28 percent have a C rating or below.
95% of German companies, 100% of French companies, and 97% of Italian companies have experienced a breach in their fourth-party ecosystem, compared to 95% of German companies, 100% of French companies, and 97% of Italian companies. When a vendor experiences a third-party or fourth-party breach, it can impact many of its customers and even its customers' customers all at once. The MOVEit vulnerability was discovered in the spring of 2023. Organizations are still dealing with the impact of the breach, with estimated costs exceeding $65 billion.
12% of companies experienced a direct breach in the past year, compared to 8% in Germany, 7% in France and 3% in Italy. All companies should prioritize improving their application and network security. These two aspects are fundamental to protect against a wide range of cyber threats. Regardless of size, industry, value or revenue, without a strong cyber defense, any company can become a target for cybercriminals.
A new era of cyber risk management
Just as credit ratings provide a clear, standardized measure of financial reliability, cyber risk ratings can provide a similar benchmark for cybersecurity resilience. The availability of objective data on cybersecurity resilience gives business and government leaders a new language for cyber risk management, one that can become radically data-driven.