- SecurityScorecard report finds most EU firms experienced a third-party data breach in 2024
- Scandinavian countries fared best, French fared worst
- Businesses should prioritize third-party risk next year, researchers warn
Third-party data breaches have emerged as one of the biggest threats to cybersecurity for organizations in the European Union, new research has claimed.
A SecurityScorecard report took Europe’s top 100 companies and analyzed factors such as network security, malware infections, endpoint security, patching cadence, application security, and DNS health.
It found virtually all European companies (98%) had experienced a third-party breach in the last year, meaning that practically every organization has had a partner company that was exposed. Although SecurityScorecard did not discuss it, it’s safe to assume that at least some of these organizations suffered some operational disruptions due to these breaches, especially since “just” 18% of companies reported direct breaches in the past year.
Prioritizing risks
Looking at individual verticals, SecurityScorecard says that transport was the most secure sector with no companies with low scores. On the other end of the spectrum is the energy industry, with 75% of organizations scored C or lower (A being best, and F being worst). Furthermore, a quarter (25%) reported experiencing direct breaches.
Scandinavian, British, and German firms were reported as most secure, while France had the highest rate of third- and fourth-party vendor breaches (98% and 100% respectively).
For Ryan Sherstobitoff, SVP of Threat Research and Intelligence at SecurityScorecard, prioritizing third-party risk management should be a priority for all EU firms, especially with DORA right around the corner.
The DORA legislation, short for the Digital Operational Resilience Act, is a new regulatory framework from the European Union designed to enhance the cybersecurity and operational resilience of financial institutions. With it, banks, insurance companies, investment firms, and other entities in the financial sector should be more resilient to disruptions, cyberattacks, and similar incidents.
The legislation is expected to come into full effect on January 17, 2025.
