2024 Verizon Data Breach Investigations Report: Third-Party Risk & CipherInsights

Outsourcing services to a third-party provider is a common business practice. But the use of third-party services can come with significant, often unforeseen, risks. Third parties can be a pathway for breaches, expose the company to financial and regulatory issues, and hurt the company’s reputation and bottom-line if a service malfunctions.

According to Deloitte Global, one in two companies believe the cost of a third-party risk incident – such as a supply chain failure, data privacy breach, or disruption to IT services – would cost them between US $0.5 to $1 billion, or more.

The need to managing supply chain and third-party risks is becoming so prominent that the annual Verizon Data Breach Investigations Report (DBIR) introduced a new metric of supply chain interconnection, which includes breaches through third-party partners as well as exploitation of third-party software, to its 2024 report.

The 2024 DBIR shows that vulnerability exploitation made up roughly 90% of supply chain interconnection breaches, and supply chain breaches made up 15% of breaches this year, a 68% jump compared with last year. These findings highlight the need for organizations to examine the security track record of potential partners and software suppliers when deciding which vendors to work with.

At Quantum Xchange we’re focused on managing cyber risk as it relates to cryptography. Our own research findings show that cryptography in the enterprise is taken for granted – rarely evaluated or checked. It’s riddled with single points of failure – old and outdated protocols in use, weak entropy sources, software bugs, unencrypted data, expired certificates, etc.

When it comes to cryptographic discovery and risk assessment there are three types of solutions: Sensor-based, Scanners and Agents. Our sensor-based discovery and passive network monitoring tool, CipherInsights plugs into a TAP or SPAN port with zero impact to traffic flow. It differs from other solutions in that it scans and analyzes all traffic – even outbound traffic destined for an external host. Because it’s not limited to analyzing endpoints on the LAN, CipherInsights can analyze traffic for cryptographic risks between the enterprise and third-parties.

This level of visibility and on-the-wire analysis enables users of CipherInsights to see how encrypting is actually working vs. how it was designed to work. Because CipherInsights sees the connections, it can also view the relationships – which entities are communicating and the amount of data that is impacted.

If an average enterprise uses more than 200 SaaS offerings, then organizations are exposing themselves to considerable risks that go undetected by point-and-scan solutions that can’t alert on illicit encryption between endpoints, encryption used by supply chain partners or cloud providers. CipherInsights can.

If you’re working with SaaS partners that say they have implemented strong encryption, CipherInsights provides the peace-of-mind that comes with knowing (without having to access their systems directly). Contact Quantum Xchange to learn more.

Subscribe to the Quantum Xchange Monthly Newsletter

Quantum Xchange does not share or rent your information to any third parties.