97 FTSE 100 firms exposed to supply chain breaches

"Risk To UK's FTSE 100 Companies From Supply Chain Breaches"

Blog post date: June 3rd, 2024 at 5:25 PM.

Out of the 100 companies that are on the FTSE 100 list of highly capitalized firms in Britain, SecurityScorecard's data shows that 97 of them were affected by a third-party's supply chain data breach from March 2023 to March 2024. This information was disclosed before the annual Infosec Europe fair.

The results, appearing at a time when breaches in supply chains are a major topic in discussions around cyber security, especially concerning the protection of essential national infrastructures, demonstrate the size of the issue confronting all corporations, not just those that are well-known.

In a recent report by SecurityScorecard, it was noted that the FTSE 100 had effectively secured their own company's entryways. Only a small 12% of the listed firms had reported a breach in the previous year. Consequently, attackers have had to shift their focus onto gaining access through the systems of third-party suppliers of technology or other services.

The company expressed its intention to emphasize that the strength of a company's cyber security lies in the strength of its smallest suppliers. It cautioned that using these suppliers as a means of attack is easier than attacking well-known organizations with advanced security measures and a comprehensive security operations center.

"Making third-party risk management a priority is paramount for any strong cyber security program, and the organizations featured in this report would reap the rewards," stated Will Gray, who serves as SecurityScorecard's Northern Europe Director.

The UK and European organizations must take action promptly to prepare for the implementation of the Digital Operational Resilience Act (DORA) and the NIS2 Directive by January 2025. They need to work harder and take necessary measures to comply with the guidelines set by the policies.

Gray emphasized the importance of UK companies incorporating third-party risk management (TPRM) into both their security program and vendor selection process, as evidenced by the increase in data breaches across Europe.

The UK's leading companies have stronger cyber security measures than those in Europe. According to SecurityScorecard's assessment, 76% of the UK's top-performing companies achieved A, B, or C ratings, compared to only 60% in France, 59% in Italy, and 66% in Germany. Moreover, 85% of UK companies with an A rating did not suffer any security breach in the past year, despite the risk of supply chain attacks.

Good news for those worried about the safety of Critical National Infrastructure (CNI): the energy and basic materials sector (which includes mining and raw materials) was the most secure sector in the United Kingdom last year. Only 12% and 16%, respectively, experienced a security breach by a third-party, and no organizations received a C grade or lower. Financial services also fared well, with only 5% receiving a C grade or less. Unfortunately, the communications sector has much room for improvement, as 70% of these organizations received a C grade or lower.

The companies that are doing exceptionally well and have the most money are also the ones that can invest in top-notch security protocols. Out of the 25 British organizations worth more than $29bn, merely 12% received a C grade or lower. However, for the remaining 75 companies, this percentage increased to 28%.