{"id":14756,"date":"2025-09-09T07:39:00","date_gmt":"2025-09-09T07:39:00","guid":{"rendered":"https:\/\/newestek.com\/?p=14756"},"modified":"2025-09-09T07:39:00","modified_gmt":"2025-09-09T07:39:00","slug":"71-of-cisos-hit-with-third-party-security-incident-this-year","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14756","title":{"rendered":"71% of CISOs hit with third-party security incident this year"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Many enterprises are at growing risk due to immature supply chain cybersecurity practices and outdated strategies.<\/p>\n

The majority (71%) of organizations experienced at least one material third-party cybersecurity incident in the past year, and 5% reported 10 or more such incidents, according to a recent survey of 546 IT directors and CISOs by cybersecurity ratings vendor SecurityScorecard<\/a>.<\/p>\n

Third-party involvement in breaches has doubled in recent years, surging from 15% to nearly 30%, according to supporting data from the 2025 Verizon Data Breach Investigations Report<\/a>.<\/p>\n

Sprawling ecosystem increases supply chain risks<\/h2>\n

Enterprises depend on vast networks of suppliers, partners, and digital service providers to deliver their products and services. This sprawling ecosystem greatly increases the attack surface cybercriminals, ransomware peddlers, and nation state-attackers can exploit.<\/p>\n

\u201cAttackers rarely go straight through the front door anymore,\u201d says Vasileios Mourtzinos<\/a>, threat intelligence analyst at cybersecurity consultancy firm Quorum Cyber. \u201cThey target the suppliers, SaaS platforms, and service providers we all depend on.\u201d<\/p>\n

Recent attacks involving Salesforce<\/a>, Workday<\/a>, and Colt Technology<\/a> show how a \u201csingle weak link in the supply chain can cause a ripple effect of damage,\u201d Mourtzinos added.<\/p>\n

Greg Sullivan<\/a>, founding partner at cybersecurity services firm CIOSO Global and former CIO at Carnival, says, \u201cOrganizations often enable online access to third parties without applying the same scrutiny they use with their own internal software and applications. This negligence creates blind spots that adversaries often exploit.\u201d<\/p>\n

Ariel Parnes<\/a>, a former Colonel in Israel\u2019s IDF 8200 Cyber Unit and co-founder of incident response vendor Mitiga, agrees that SaaS platforms represent a \u201cthird-party dependency and a direct supply chain risk.\u201d<\/p>\n

\u201cRecent campaigns against Salesforce customers, and the breach at Farmers Insurance<\/a>, show how these attacks cascade across industries,\u201d Parnes says. \u201cNow, threat groups like Murky Panda are skipping the front door and exploiting trusted cloud and SaaS relationships instead.\u201d<\/p>\n

Parnes adds: \u201cBy abusing OAuth, stolen credentials, or over-permissioned integrations, they \u2018log in\u2019 rather than break in, bypassing traditional defenses. By compromising these upstream entities, they were able to inherit the trust and permissions that downstream organizations had already granted.\u201d<\/p>\n

Software supply chain threats<\/h2>\n

The software supply chain<\/a> is heavily reliant on code developed by third-party developers \u2014 something only likely to increase with the advent of AI<\/a>.<\/p>\n

Brian Fox<\/a>, co-founder and CTO of open-source software security vendor Sonatype, says that \u201cenormously complex\u201d software supply chains pose a growing threat.<\/p>\n

\u201cToo many organizations have no idea what open-source packages, transitive dependencies, AI models, or community-maintained libraries they rely on \u2014 let alone who maintains them or whether they\u2019re secure,\u201d Fox tells CSO. \u201cThere\u2019s a persistent and growing trend in software supply chain attacks targeting developers and CI\/CD environments.\u201d<\/p>\n

Attackers are planting malicious code on public repositories such as npm and PyPI \u2014 often disguised as useful packages \u2014 as a means to compromise systems, steal data, or provide backdoor access during development or deployment.<\/p>\n

\u201cAttackers are refining data exfiltration-focused malware<\/a> to harvest secrets and credentials, enabling downstream attacks like supply chain breaches or cloud account takeovers,\u201d Fox warns.<\/p>\n

Lack of visibility is compounding a growing problem, according to Nick Jones<\/a>, head of research at cybersecurity consulting firm Reversec.<\/p>\n

\u201cAttackers compromise open-source projects supported by underpaid and under-resourced individuals, or startups where security isn\u2019t a priority, in order to insert malicious code into packages used downstream by much higher value targets,\u201d Jones says.<\/p>\n

Lessons not taken from the SolarWinds breach<\/h2>\n

Software supply chains weaknesses were exploited in the high-profile 2020 SolarWinds hack<\/a>, but five years later the same issue plagues the industry.<\/p>\n

Once a software development pipeline itself is compromised, every customer downstream inherits that risk.<\/p>\n

The best defense is to get a clear picture of your entire software supply chain \u2014 its assets, tools, pathways, and controls \u2014 and then work to ensure the proper guardrails are in place, according to Joe Nicastro, field CTO at application security firm Legit Security.<\/p>\n

\u201cWe still see build pipelines misconfigured, third-party code and packages flowing in without checks, and SBOMs treated as one-off documents instead of living inventories,\u201d Nicastro tells CSO.<\/p>\n

Software bill of materials (SBOMs)<\/a> allow an organization to understand what it\u2019s really running under the hood, down to the individual libraries and packages.<\/p>\n

\u201c[SBOMs are] being pushed by numerous industry organizations, including CISA, and are a requirement under the EU Cybersecurity Resilience Act (CRA<\/a>), but every software vendor has to produce their own SBOMs for their products, and so industrywide has been slow so far,\u201d Reversec\u2019s Jones says.<\/p>\n

Lack of visibility<\/h2>\n

Few organizations have comprehensive visibility into their entire supply chain much less the ability to monitor the cyber hygiene of every supplier and their downstream partners.<\/p>\n

SecurityScorecard found that only 21% of those surveyed were able to say at least half of their extended supply chain was covered by cybersecurity programs. Only a quarter (26%) of organizations incorporate incident response into their supply chain cybersecurity programs.<\/p>\n

\u201cBreaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action,\u201d says Ryan Sherstobitoff<\/a>, field chief threat intelligence officer at SecurityScorecard.<\/p>\n

Countermeasures<\/h2>\n

\u201cVendor diligence must go beyond questionnaires<\/a>,\u201d says Scott Weinberg<\/a>, founder and CEO of managed IT services provider Neovera. \u201cBusiness associate agreements need more diligence. CISOs should require evidence of controls (MFA, logging, EDR), audit rights, and proof of breach notification timelines.\u201d<\/p>\n

Legit Security\u2019s Nicastro adds: \u201cTo address this issue, organizations must impose clear cybersecurity maturity expectations on all partners, including mandating penetration tests, annual assessments, phishing simulations, tabletops, and resilience exercises.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Many enterprises are at growing risk due to immature supply chain cybersecurity practices and outdated strategies. The majority (71%) of organizations experienced at least one material third-party cybersecurity incident in the past year, and 5% reported 10 or more such incidents, according to a recent survey of 546 IT directors and CISOs by cybersecurity ratings vendor SecurityScorecard. Third-party involvement in breaches has doubled in recent… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14756","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14756"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14756\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}