Cybersecurity

Just 150 companies have 90% of global attack surface, report finds

Risk concentration has major ramifications for software supply-chain security.
article cover

US Department of Defense

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

The internet may be vast beyond conception—but attackers looking for juicy targets within that unending sea of data may find them concentrated in a relative handful of companies.

According to a recent report by supply-chain security firm SecurityScorecard, scans of internet-accessible devices show 90% of the global external attack surface is concentrated in products and services from just 150 firms. Just 15 companies accounted for a full 62%.

What’s more, around 41% of those firms had evidence of at least one compromised device within the last year.

“What we see is some of the company mergers and consolidation of cloud technologies are obviously providing an opportunity for threat actors,” Ryan Sherstobitoff, SecurityScorecard’s SVP of threat research and intelligence, told IT Brew.

SecurityScorecard used automated vendor detection tools to scan around 12 million public and private organizations in an attempt to identify their supply chains and associated risks. The 150 organizations in question are disproportionately large and pose an outsized risk of breaches spreading to third parties and beyond, creating “a single point of failure,” Sherstobitoff said.

While the report didn’t identify the 150 companies in question, Sherstobitoff said they range from software providers and cloud service apps to telco providers and manufacturers of supervisory control and data acquisition (SCADA) and industrial control systems (ICS) devices.

“What we mean by concentrated risk is that you have a dependency on third-party technology that bad guys are systematically targeting over time,” he added.

Single points of failure in digital supply chains are, for example, a major concern for cyber insurance companies.

Last year, the International Underwriting Association issued a report warning supply-chain risks hadn’t received adequate attention relative to other risks like war, pointing out that supply-chain attacks can quickly affect wide swathes of organizations adjacent to the original targets via breaches or outrages. Faced with the prospect of huge payouts, some cyber insurers have begun requiring clients work with approved vendors to minimize risk.

Other research has indicated many firms are unaware of the totality of their IT and digital assets, leaving them with insufficient visibility into potential attack vectors. (Previous SecurityScorecard research found 98% of organizations have vendor relationships with at least one firm that had suffered a breach in the two years leading up to the survey.)

According to Sherstobitoff, having vendor risk management programs is one way organizations can manage this kind of risk.

“If you don’t know who your [third-party vendors] are, then that’s a big no-no. Because then you never know if any of those third parties got compromised—if your data is actually being exposed,” Sherstobitoff said.

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.