Full Report
In its 2025 Global Third-Party Breach Report, SecurityScorecard has found that 35.5% of all cyber breaches in 2024 were third-party related, up from 29% in 2023
Analysis Summary
# Industry News: SecurityScorecard Detects Significant Increase in Third-Party Breach Risk
## Summary
SecurityScorecard's new report reveals a substantial rise in cyber breaches attributed to third-party vulnerabilities in 2024, increasing from 29% to 35.5% year-over-year. This trend highlights the supply chain as a primary vector for sophisticated attack groups, including ransomware actors like Clop, and signals a broadening scope of risk beyond traditional technology vendors.
## Key Details
- Date: March 26, 2025 (Report Release)
- Companies Involved: SecurityScorecard (STRIKE Threat Intelligence Unit)
- Category: Market Analysis/Industry Research
## The Story
SecurityScorecard's *2025 Global Third-Party Breach Report*, analyzing 1,000 cyber breaches from 2024, documented a $6.5\%$ absolute increase in breaches linked to third parties. Furthermore, third-party failures accounted for $41.4\%$ of ransomware attacks observed in 2024. While technology products were involved in the breaches, the percentage linked to this sector dropped significantly (from $75\%$ to $46.75\%$), suggesting attackers are diversifying their third-party targeting across various industries and service types. Threat intelligence leaders emphasize that adversaries are specifically targeting weaker supply chain links for scalable compromise.
## Business Impact
### For the Companies Involved
- **SecurityScorecard:** This report solidifies their position as a leading authority in supply chain risk intelligence, which drives demand for their vendor risk management and security rating platforms.
### For Competitors
- Competitors in the Vendor Risk Management (VRM) space benefit from heightened market awareness, but SecurityScorecard's proprietary threat intelligence data provides a potentially strong differentiation point, validating the necessity of continuous, deep-dive assessment solutions.
### For Customers
- Organizations face increased liability and operational risk due to the concentration of breaches stemming from their partners. This necessitates immediate re-evaluation and stricter contractual requirements for vendor security postures.
### For the Market
- The data validates the market shift towards prioritizing third-party risk management (TPRM). It signals that generic controls are insufficient, pushing demand toward continuous monitoring solutions capable of tracking diverse, risk-bearing suppliers.
## Technical Implications
The diversification away from only technology vendors suggests that regulatory, consulting, logistics, or other B2B service providers are now significant weak links being actively exploited by threat actors seeking downstream access.
## Strategic Analysis
- Market Positioning: SecurityScorecard is strategically positioned to capitalize on established market fear regarding supply chain risk, moving the conversation beyond simple compliance checklists to active, intelligence-driven risk scoring.
- Competitive Advantage: The use of their proprietary STRIKE Threat Intelligence Unit for real-world attribution grants them a data-driven edge in proving the urgency of their solutions.
- Challenges: The market is flooded with TPRM solutions; maintaining leadership requires continuous superior threat intelligence accuracy and integration into customer workflows.
## Industry Reactions
- Analyst opinions will likely focus on this data point confirming TPRM as the top cybersecurity investment priority for the near future.
- Expert commentary will emphasize that organizations must now look beyond their Tier 1 vendors and assess the risk resilience of their entire extended ecosystem.
- Market response sees sustained high demand for security rating services and supply chain risk auditing tools.
## Future Outlook
- We can expect a surge in mergers and acquisitions activity targeting specialized intelligence firms that provide deep visibility into non-tech suppliers. Security leaders will aggressively pressure boards to allocate budget specifically for supply chain diligence programs.
- Watch for further segmentation in breach reporting—distinguishing between direct vendor compromises and risks flowing through broader ecosystem sharing.
## For Security Professionals
Security practitioners must urgently audit and reassess their fourth-party risk exposure. Focus efforts on hardening connection points with all vendors, especially those outside the traditional IT/Cloud scope, and ensuring that incident response plans account for attribution scenarios where the initial compromise occurs upstream.