- SecurityScorecard report reveals that most EU companies suffered a third-party data breach in 2024
- Scandinavian countries fared better, French fared worse
- Companies should prioritize third-party risk next year, researchers warn
Third-party data breaches have become one of the biggest threats to the cybersecurity of organizations in the European Union, according to new research.
A SecurityScorecard report took the top 100 companies in Europe and analyzed factors such as network security, malware infections, endpoint security, patch cadence, application security and DNS health.
It found that virtually all European companies (98%) had experienced a third-party breach in the last year, meaning that virtually every organization has had an associated company that was exposed. Although SecurityScorecard did not discuss it, it is safe to assume that at least some of these organizations suffered some operational disruptions due to these breaches, especially since “only” 18% of companies reported direct breaches last year.
Prioritize risks
Looking at individual verticals, SecurityScorecard states that transportation was the safest sector, with no companies scoring low. At the other end of the spectrum is the energy industry, with 75% of organizations scoring C or lower (A is the best and F is the worst). Additionally, a quarter (25%) reported experiencing direct violations.
Scandinavian, British and German companies were considered the safest, while France had the highest rate of breaches from third and fourth suppliers (98% and 100% respectively).
For Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, prioritizing third-party risk management should be a priority for all EU companies, especially now that DORA is just around the corner.
The DORA legislation, short for Digital Operational Resilience Act, is a new European Union regulatory framework designed to improve the cybersecurity and operational resilience of financial institutions. This should make banks, insurance companies, investment firms and other entities in the financial sector more resilient to disruptions, cyberattacks and similar incidents.
The legislation is expected to come into full force on January 17, 2025.
