A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.

Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.

2023 industry recap: Largest third-party breaches in the energy sector

The energy sector faced significant challenges in 2023, marked by a notable rise in third-party data breaches. These incidents did more than just leak sensitive information — they also cast doubt on the industry’s security protocols. The breaches varied, but they resulted in financial losses, damaged reputations and eroded customer confidence.

Some of the key findings in this report included:

  • There were 264 reported breaches in the energy sector linked to third-party issues
  • All top 10 U.S. energy companies were included in confirmed third-party breaches
  • The MOVEit vulnerability was especially prevalent in the last six months, affecting numerous global energy companies
  • 33% of energy companies scored a C or lower in security, indicating a heightened breach risk.

This surge in breaches is prompting the sector to strengthen its security measures, potentially leading to stronger defenses against future incidents.

What’s causing the rise in third-party breaches?

When focused on expansion, energy companies often engage multiple third-party vendors for specialized services. These external partners, ranging from software to logistics providers, bring their unique security configurations to the table.

While these collaborations offer several benefits, they also open up new security loopholes. A compromised vendor system can act as a gateway for cyber criminals to penetrate a partner’s data network.

Another key factor in the rising incidence of cyber breaches is the energy sector’s push towards digitalization. The integration of technologies such as IoT devices, cloud computing and machine learning offers numerous advantages but also expands the attack surface.

As numerous energy companies prioritize growth, maintaining a thorough understanding of their supply chain’s security often takes a backseat. This shortfall in oversight can leave critical weak points undetected, posing a challenge in preemptively addressing vulnerabilities. These overlooked areas can become prime targets for cyber attackers looking to exploit these security gaps.

More on cyber risk management

What are the implications for critical infrastructure organizations?

Critical infrastructure entities must be vigilant about third-party breaches, as these incidents risk not only financial stability but also operational effectiveness and their public image.

Financial ramifications

The economic fallout from data breaches is substantial. The expenses can range from immediate outlays for detecting and fixing the breach to regulatory penalties and possible legal actions from those impacted. A recent report by IBM on the cost of data breaches in 2023 reveals that the average financial hit from these types of incidents last year reached $4.45 million, marking a 15% rise in the past three years.

Effects on operations

A breach originating from a third party can severely disrupt operational processes. This might lead to periods of inactivity and decreased productivity. In extreme cases, organizations might find it necessary to completely suspend their operations to manage the situation. This halt in activity is particularly critical for organizations responsible for essential services like electricity, water and transportation, as it can lead to widespread societal effects.

Reputational damage

Apart from the financial and operational implications of third-party breaches, there are also risks to a company’s reputation. Trust is incredibly important, and when lost, it can be very hard to re-establish. This can cast doubts on the ability of an organization to protect sensitive information, which will affect its business growth in the future.

How are organizations addressing their third-party risk profile?

With the growing concern over third-party breaches, energy sector companies are not sitting idle and are implementing better security measures to safeguard against these threats. Below are some of the main tactics they’re using.

Exhaustive assessments of vendors and supplier risk management

A thorough vendor evaluation should be conducted to mitigate third-party risk. This step is essential to ensure that partners’ security protocols and practices measure up to the company standards. It includes an assessment of their security practices, such as data protection policies, incident response plans, compliance with regulations and financial standing.

Continuous auditing and monitoring of vendor systems

A vital component of third-party risk management involves the ongoing auditing and monitoring of external vendor systems and networks. This continuous oversight helps companies detect shifts in a vendor’s risk profile and identify potential threats more quickly. Utilizing real-time monitoring tools for immediate alerts on unusual activities and routine audits ensures that vendors consistently meet established security standards.

Safe data transfer methods and strategic network segmentation

In the regular course of business with third parties, safely sharing data is a critical concern. Companies are adopting secure data transfer protocols like data encryption, secure file transfer systems and strict access management.

Network segmentation is another vital strategy for diminishing third-party risk. It involves splitting the network into distinct segments, each safeguarded by specific security measures, localizing and limiting the impact of any potential breach.

Keep your third-party risk management strategies up to date

The recent increase in attacks on third-party vendors highlights the importance of constantly updating and improving third-party risk management strategies. By regularly reviewing and enhancing these strategies, companies can stay ahead of potential threats and ensure the security of their customer data.

More from Data Protection

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Cost of data breaches: The business case for security AI and automation

3 min read - As Yogi Berra said, “It’s déjà vu all over again.” If the idea of the global average costs of data breaches rising year over year feels like more of the same, that's because it is. Data protection solutions get better, but so do threat actors. The other broken record is the underuse or misuse of technologies that can help safeguard data, such as artificial intelligence and automation.IBM’s 2024 Cost of a Data Breach (CODB) Report studied 604 organizations across 17…

Cost of a data breach: The industrial sector

2 min read - Industrial organizations recently received a report card on their performance regarding data breach costs. And there’s plenty of room for improvement.According to the 2024 IBM Cost of a Data Breach (CODB) report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.These figures place the industrial sector in third place for breach costs among the 17 industries studied. On average, data breaches cost industrial…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today