Supply Chain Breaches Up 68% From Last Year

If you have been reading this blog then any conversation about supply chain risk is not news to you.

Verizon, which publishes the well respected annual data breach investigations report says that supply chain breaches are up 68 percent from 2022. The number is still suspiciously low to me, however.

Most people think of Verizon as the phone company, but they have a very large cybersecurity practice and include a large percentage of the Fortune 500 among their cybersecurity customers.

This year they slightly modified their definition of a supply chain breach.

It used to include:

• Compromises through vendors (like the Target breach a decade ago)
• Breaches from data custodians (like last year’s MOVEit breach)
• Breaches due to software updates (like SolarWinds)

This year they added a new category:

• vulnerabilities in third party software

Verizon says that 15 percent of all breaches in 2023 involved a third party, up from 9 percent in 2022. Accurate data is hard to gather, but I think the numbers are significantly low.

It makes sense to include those vulnerabilities because many companies are not great at disclosing those vulnerabilities quickly and some are even worse about patching them. Some even argue with the researchers who report the vulnerabilities.

Verizon says that businesses should start looking at ways to make better choices when selecting vendors so that the don’t reward vendors who do a poor job in this area.

If you are concerned about third party risk or you don’t think you have a good handle on managing it, please contact us. Credit: Dark Reading

by