Third Party Breach Report Commentary from Jeffrey Wheatman
Black Kite just released its 4th annual third-party breach report. It is filled with great data and insight. You can download the report HERE. Here are my random thoughts and reflections on the report.
The level of breach impact and destruction almost doubled in 2022, with 4.73 affected companies per vendor (not including said vendor) compared to 2.46 companies per vendor in 2021.
It’s interesting that the number of third parties being used to wage attacks has gone down, but the number of companies attacked from those third parties has risen. It’s almost as if the bad actors are trying to get ‘better.’ As defenders, we can’t rest on our laurels* when the attackers are always pushing the envelope.
The healthcare industry, consistent with last year, was the most common victim in third party breaches, accounting for 34.9% of incidents in 2022.
Healthcare is still a problem. They are the most attacked, and their vendors have represented the most breached third parties. My experience has been (it is changing but very slowly) that Cybersecurity in healthcare = HIPAA. Maybe that needs to change … or not. I mean, it’s not like healthcare has any data to steal. Healthcare providers need to do better, and they need to demand more of their vendors and partners.
Unauthorized network access emerged as the most common root cause of third-party attacks, initiating 40% of the third-party breaches analyzed. The method of unauthorized network access is usually not disclosed or discovered.
In other words, with a lot of attacks the actual method of access is unclear, so these attacks get lumped into one kind of miscellaneous category. What I take from that is two things are like the cause – 1) attacks are multistage so we aren’t always (or often) able to track the attack back to the beginning, 2) organizations are woefully behind in detection and response. IMNSHO, we can’t solve the former, but we can do better on the latter.
Nearly half (44%) of attacked vendors improved their cyber rating after the incident.
Vendors that improved their cyber rating by more than 4 points in 2022 were mostly healthcare vendors (60%), followed by financial services vendors (25%).
Yay, organizations are listening. They are paying heed to the risks and more importantly, they are doing something about it. Keep working folks. We need to always be moving forward, or we are going backwards. Be mindful that we need to use risk appetite as a backdrop for improvement. While we can keep getting better, at some point we reach diminishing returns.
The average time between an attack and the disclosure date was 108 days, an increase from 2021 by 50%.
27% of the analyzed attacks began in 2021; the connected breaches and disclosures lapsed into 2022.
This is scary. The fact that dwell time (time between an attack and discovery of the attack) is rising after years of falling is problematic. The longer the attackers are in, the more damage they can do. This increase in dwell time is reflected in the fact that lots of attacks started in 2021 and kept on going into 2022. While it is true that attackers aren’t going to shut down their attack because the ball dropped in Times Square, we need to get better at identifying breaches sooner and shutting the door on the attackers ASAP.
What are your thoughts and musings on the report? Connect to me on LinkedIn and ping me your thoughts and questions. I’ll do a follow-up in a few weeks with the input I receive. (Maybe even a shoutout on my new podcast!)
Stay safe, stay secure, stay healthy.
*This expression comes from ancient Greece/Rome where winners of athletic competitions were awarded a crown of laurel wreaths to wear. Once they won, they didn’t feel the need to try anymore. Hence resting on laurels means ‘why try to get better when we’ve already won.’