97% of UK FTSE 100 firms hit by third-party cyber breaches
SecurityScorecard has unveiled a recent report detailing the cybersecurity posture of the United Kingdom's FTSE 100 companies. The report, compiled using the world's largest proprietary risk and threat intelligence dataset, highlights the prevalence of security breaches in third-party vendor ecosystems. According to the findings, a striking 97% of the UK's top 100 companies by market capitalisation experienced breaches through their third-party ecosystems in the past year.
Sophisticated adversaries have increasingly exploited vendor systems to bypass robust cybersecurity measures. Companies, having fortified their primary systems with firewalls, stronger passwords, and multi-factor identification, now find their cyber defences indirectly compromised via their suppliers. The report stresses the critical need for companies to ensure their entire supply chain adheres to rigorous cybersecurity standards.
The comparative analysis within the report shows that UK companies are slightly better off than their European counterparts. While 97% of UK companies experienced breaches in their third-party ecosystems, Germany reported breaches in 94% of its companies, France in 98%, and Italy in 95%. Additionally, the UK's cybersecurity ratings were the strongest among these nations, with 24% of its companies scoring a C grade or lower, compared to 40%, 41%, and 34% for France, Italy, and Germany, respectively.
The study also pinpointed sectors within the UK with varying degrees of cybersecurity resilience. The Energy and Basic Materials sectors were identified as having the strongest security postures, with only 12% and 16% of these companies experiencing third-party breaches, respectively. No company within these sectors received a C grade or lower. In contrast, the Communications sector had the weakest cybersecurity stance, with 70% of companies scoring C or below. The Financial sector showed strong resilience, with merely 5% of its companies scoring C or less.
Market capitalisation appeared to correlate with cybersecurity strength. Among the 25 highest-valued UK companies, only 12% scored a C grade or lower. This is in stark contrast to the companies with lower market valuations, where 28% scored C or below.
The frequency of fourth-party breaches—where a company's vendor is compromised—was also significant, matching the 97% breach rate seen in third-party ecosystems. By comparison, German companies reported a rate of 95%, French companies 100%, and Italian companies 97%. The lingering effects of high-profile exploits, such as the MOVEit breach identified in the spring of 2023, underscore the ongoing vulnerabilities within these extended networks.
Despite robust fortifications, 12% of the UK's top 100 companies experienced direct breaches in the past year, a figure higher than Germany's 8%, France's 7%, and Italy's 3%. This indicates a pressing need for improved application and network security to defend against an ever-evolving array of cyber threats.
Will Gray, Director of Northern Europe for SecurityScorecard, emphasised the importance of third-party risk management (TPRM) as a cornerstone of robust cybersecurity programmes. Gray noted that sectors and organisations across Europe must elevate their TPRM efforts to comply with the forthcoming Digital Operational Resilience Act (DORA) set to be implemented in January 2025, alongside the NIS2 directive.
The findings underscore the value of cyber risk ratings for providing a clear, standardised measure of cybersecurity resilience, akin to financial credit ratings. Companies and governmental bodies can leverage this data-driven approach to benchmark and bolster their cybersecurity frameworks.
The report's methodology involved real-time risk assessment, with SecurityScorecard utilising non-intrusive data collection to evaluate the cybersecurity performance of companies worldwide. The ratings, spanning from A to F, were derived from ten predictive factors, displaying a direct correlation between low ratings and higher likelihoods of data breaches.