Nine in ten energy firms suffered supplier data breach

With hundreds of organizations hit by the high-profile cyberattack earlier in 2023, it comes as little surprise that the energy sector – often a target of choice for ransomware gangs – is reeling.

However, the extent to which companies in the sector have been affected can still be described as startling – every single one of the top ten energy firms in the US was hit in the past 12 months, according to SecurityScorecard, though it stopped short of naming any.

In the past three months alone, the cybersecurity analyst tracked 264 data breaches related to third-party suppliers. But curiously enough, direct attacks on such suppliers themselves remain very low – SecurityScorecard’s analysis of 2,000 third-party organizations found that just one in 25 had suffered a breach.

This would appear to bear out the working theory that ransomware actors tend to go after third-party suppliers as a bridge to the larger organizations they serve, rather than seeing them as an end target in themselves.

Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard, says the findings point to a deplorable state of affairs both globally and nationally when it comes to cybersecurity.

“More than two years after the major US pipeline ransomware incident, the world still lacks a common framework for measuring cyber risk,” he said. “Transparency and information sharing about cybersecurity is critical for national security.”

Jim Routh, a SecurityScorecard board member, said organization bosses needed to quit the magical thinking and replace it with cold, hard cybersecurity practices.

“Hope and prayer may be useful but are clearly not sustainable strategies,” he said. “Preventing the surge of supply-chain attacks requires systematically applying real-time data triggering automated workflow to manage risk in the digital ecosystem.”