FTSE 100 Cyber Threats: Understanding Supply Chain Vulnerabilities

SecurityScorecard has unveiled a comprehensive analysis of the FTSE 100’s cybersecurity landscape.

Using the world’s largest proprietary risk and threat intelligence dataset, the study reveals that 97% of the UK’s largest companies experienced breaches in their third-party ecosystems. Despite strong front-line defenses, adversaries target smaller vendors, emphasizing the importance of robust third-party risk management.

The UK leads in overall cybersecurity compared to its European counterparts, but ongoing vigilance and improvement in application and network security are crucial.

Many companies have increased the cyber protection of their “front doors” through measures such as firewalls, stronger passwords, and multi-factor identification. As a result, adversaries seek other ways to get it. Often, that means coming in through third-party vendors’ systems.

The new research spotlights why a company’s cybersecurity strength is directly linked to the security measures of even its smallest vendor. Globally, companies are increasing oversight of suppliers after major supply-chain cyber attacks have affected thousands of businesses and breached data on millions of customers.

Key findings

97% of the UK’s largest companies had a breach in their third-party ecosystem. This is in comparison to 94% of German companies; 98% of French companies; and 95% of Italian companies.

Adversaries are increasingly incentivized to target smaller vendors to bypass robust and well-funded cybersecurity programs. Using an organization as an unwitting Trojan Horse is far easier than directly compromising a major company with a fully staffed Security Operations Center and several layers of security controls.

The Energy and Basic Materials sectors (mining and raw materials) have the strongest security posture in the UK. Only 12% and 16% respectively of the companies in these sectors had third-party breaches, and none of them received a C rating or below.

Meanwhile, the Financial sector is the second strongest in the UK, with only 5% of companies receiving a C rating or below. The Communications sector had the lowest overall security posture, with 70% having a C rating or below.

UK has the strongest average cybersecurity rating compared to its neighbours. The data shows that companies in the UK have the strongest overall cybersecurity (24% with a C or below) compared to their French, Italian, and German counterparts, with 40%, 41%, and 34% having a C or below, respectively.

85% of UK companies with an A grade have not been breached in the last year (demonstrating the importance of having an A grade), compared to 87%, 100% and 95% in France, Italy and Germany respectively.

Similarly, UK companies with a higher market capitalisation have stronger cybersecurity. The 25 companies in the UK with the highest market capitalization (over 29 Billion USD) have a stronger cybersecurity posture (12% with C rating or below) than the 75 companies with lower market capitalization (5 Billion – 28 Billion USD) had an average of 28% with a C rating or below.

Nevertheless, 97% of the data sample had a breach in their fourth-party ecosystem. By comparison to 95% of German companies; 100% of French companies; and 97% of Italian companies. A vendor experiencing a third- or fourth-party compromise could affect a large number of its customers, or even customers of its customers, in one fell swoop.

The MOVEit exploit was discovered in the spring of 2023, and organizations are still dealing with the fallout of the breach, which is projected to cost at least $65B USD.

In addition, 12% experienced a direct breach in the last year. Compared to 8% of German companies; 7% of French companies; and 3% of Italian companies.

All companies should prioritise improving application and network security. These two aspects are fundamental to safeguarding against a wide range of cyber threats. Any company—regardless of size, industry, value, or revenue—can be a target for cybercriminals if it doesn’t have strong cyber defences.

Enhancing cyber resilience in FTSE 100 companies

Just as credit ratings provide a clear and standardised measure of financial credibility, cyber risk ratings can offer a similar benchmark for cybersecurity resilience.

The availability of objective data on cybersecurity resilience gives business and government leaders a new language for cyber risk management that permits them to be relentlessly data-driven.

“Third-party risk management is a key component of any robust cybersecurity program, and the companies represented in this report would benefit by making it a priority. The sectors and organisations in the UK (and in Europe as a whole) need to do more now if they are going to be ready for the implementation of DORA [Digital Operational Resilience Act] by January 2025, as well as the NIS2 directive,” says Will Gray, Director of Northern Europe for SecurityScorecard.

“The rise of data breaches across Europe demonstrates that UK companies still need to make third-party risk management (TPRM) an integral component of not only their security program but of their vendor selection process as well.”

Download the 2024 UK’s Cybersecurity Threat Report here.