Cyberattacks On Specialized Vendors Puts Whole Economic Sectors At Risk

Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard, tells Axios that every sector has specialized needs that only a handful of vendors have products to address, which creates a concentrated security risk if those vendors face a cyberattack. Because of this, cyberattacks on specialized vendors can have far-reaching impacts.

The article highlights the domino effect that hundreds of organizations are dealing with due to a single attack on a third-party vendor. It references CDK Global and Change Healthcare as the best-known victims of a long series of cyberattacks in 2024 that started with just one major vendor and then rippled out to hundreds, if not thousands, of incidents throughout one sector.

150 companies account for 90% of the technology products and services that global companies are using in their systems, according to research from SecurityScorecard and McKinsey & Co. Of those 150 companies, 87 have a security rating of B or lower based on SecurityScorecard’s rating system. Companies that use the technology those 87 companies provide might have all the right cybersecurity practices in place, but they are at risk nonetheless.

“It’s not like these products all of a sudden appeared on the market; they’ve always been here,” Sherstobitoff said. “But the level of cyberattacks are higher than they were five, six, seven years ago in terms of breaching organizations that run that software.”

 The best defense for customers of these highly concentrated tech vendors is to know which tools they’re running in their systems, says Sherstobitoff. “If you don’t know your third parties, then you have an unknown risk,” he said. Then “You’re not aware that you and 60% of [the sector] are using that product.”