97 FTSE 100 firms exposed to supply chain breaches

Koonsiri – stock.adobe.com

Between March 2023 and March 2024, 97 out of 100 companies on the UK’s FTSE 100 list were put at risk of compromise following supply chain breaches at third-party suppliers

Alex Scroxton,
Security Editor

Published: 03 Jun 2024 17:25

Of the 100 organisations listed on the Financial Times Stock Exchange (FTSE) 100 list of Britain’s most highly capitalised firms, 97 were exposed to a third-party supply chain data breach incident between March 2023 and March 2024, according to data published by SecurityScorecard ahead of the annual Infosec Europe fair.

The findings, which come as supply chain attacks continue to dominate cyber security discussions – particularly in regard to the safety of critical national infrastructure (CNI) – reveal the scale of the problem facing all organisations, not just prominent ones.

SecurityScorecard said the FTSE 100 had done well at protecting their own front doors – only 12% of the listed organisations reported a breach themselves last year – with the result that adversaries must seek other ways to get in, which usually means through the systems of third-party suppliers of technology or other services.

The firm said it wanted to highlight that a company’s cyber security strength is directly linked to the strength of even its smallest supplier, warning that using such firms as an unwitting Trojan Horse was much easier than directly compromising a well-known organisation with multiple layers of controls and a fully-fledged security operations centre (SOC).

“Third-party risk management is a key component of any robust cyber security programme, and the companies represented in this report would benefit by making it a priority,” said Will Gray, SecurityScorecard’s director of Northern Europe.

“The sectors and organisations in the UK, and in Europe as a whole, need to do more now if they are going to be ready for the implementation of DORA [Digital Operational Resilience Act] by January 2025, as well as the NIS2 Directive.

“The rise of data breaches across Europe demonstrates that UK companies still need to make third-party risk management [TPRM] an integral component of not only their security programme but of their vendor selection process as well,” added Gray.

Mixed picture

Beyond their potential exposure to supply chain attacks, the UK’s top-performing companies tended to have much stronger cyber security postures than their European counterparts, with 76% scoring at the highest three grades – A through C – on SecurityScorecard’s proprietary ratings metric, compared with 60% in France, 59% in Italy and 66% in Germany. Additionally, 85% of UK organisations with the highest A grade had not been breached in the past year.

Happily for those concerned about threats to CNI, the most secure sector in the UK was energy and basic materials (mining and raw materials), where only 12% and 16% experienced a third-party breach last year, and no organisations received a C grade or below. The financial services industry also performed well, with only 5% receiving a C grade or lower. Organisations working in the communications sector, however, have a lot of work to do – 70% of them received a C grade or lower.

The top performers are also the richest companies with the highest market caps that can afford to do security well. Of the 25 UK organisations worth over $29bn, only 12% received a C grade or below, while for the 75 others, this rose to 28%.