A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.

Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.

2023 industry recap: Largest third-party breaches in the energy sector

The energy sector faced significant challenges in 2023, marked by a notable rise in third-party data breaches. These incidents did more than just leak sensitive information — they also cast doubt on the industry’s security protocols. The breaches varied, but they resulted in financial losses, damaged reputations and eroded customer confidence.

Some of the key findings in this report included:

  • There were 264 reported breaches in the energy sector linked to third-party issues
  • All top 10 U.S. energy companies were included in confirmed third-party breaches
  • The MOVEit vulnerability was especially prevalent in the last six months, affecting numerous global energy companies
  • 33% of energy companies scored a C or lower in security, indicating a heightened breach risk.

This surge in breaches is prompting the sector to strengthen its security measures, potentially leading to stronger defenses against future incidents.

What’s causing the rise in third-party breaches?

When focused on expansion, energy companies often engage multiple third-party vendors for specialized services. These external partners, ranging from software to logistics providers, bring their unique security configurations to the table.

While these collaborations offer several benefits, they also open up new security loopholes. A compromised vendor system can act as a gateway for cyber criminals to penetrate a partner’s data network.

Another key factor in the rising incidence of cyber breaches is the energy sector’s push towards digitalization. The integration of technologies such as IoT devices, cloud computing and machine learning offers numerous advantages but also expands the attack surface.

As numerous energy companies prioritize growth, maintaining a thorough understanding of their supply chain’s security often takes a backseat. This shortfall in oversight can leave critical weak points undetected, posing a challenge in preemptively addressing vulnerabilities. These overlooked areas can become prime targets for cyber attackers looking to exploit these security gaps.

More on cyber risk management

What are the implications for critical infrastructure organizations?

Critical infrastructure entities must be vigilant about third-party breaches, as these incidents risk not only financial stability but also operational effectiveness and their public image.

Financial ramifications

The economic fallout from data breaches is substantial. The expenses can range from immediate outlays for detecting and fixing the breach to regulatory penalties and possible legal actions from those impacted. A recent report by IBM on the cost of data breaches in 2023 reveals that the average financial hit from these types of incidents last year reached $4.45 million, marking a 15% rise in the past three years.

Effects on operations

A breach originating from a third party can severely disrupt operational processes. This might lead to periods of inactivity and decreased productivity. In extreme cases, organizations might find it necessary to completely suspend their operations to manage the situation. This halt in activity is particularly critical for organizations responsible for essential services like electricity, water and transportation, as it can lead to widespread societal effects.

Reputational damage

Apart from the financial and operational implications of third-party breaches, there are also risks to a company’s reputation. Trust is incredibly important, and when lost, it can be very hard to re-establish. This can cast doubts on the ability of an organization to protect sensitive information, which will affect its business growth in the future.

How are organizations addressing their third-party risk profile?

With the growing concern over third-party breaches, energy sector companies are not sitting idle and are implementing better security measures to safeguard against these threats. Below are some of the main tactics they’re using.

Exhaustive assessments of vendors and supplier risk management

A thorough vendor evaluation should be conducted to mitigate third-party risk. This step is essential to ensure that partners’ security protocols and practices measure up to the company standards. It includes an assessment of their security practices, such as data protection policies, incident response plans, compliance with regulations and financial standing.

Continuous auditing and monitoring of vendor systems

A vital component of third-party risk management involves the ongoing auditing and monitoring of external vendor systems and networks. This continuous oversight helps companies detect shifts in a vendor’s risk profile and identify potential threats more quickly. Utilizing real-time monitoring tools for immediate alerts on unusual activities and routine audits ensures that vendors consistently meet established security standards.

Safe data transfer methods and strategic network segmentation

In the regular course of business with third parties, safely sharing data is a critical concern. Companies are adopting secure data transfer protocols like data encryption, secure file transfer systems and strict access management.

Network segmentation is another vital strategy for diminishing third-party risk. It involves splitting the network into distinct segments, each safeguarded by specific security measures, localizing and limiting the impact of any potential breach.

Keep your third-party risk management strategies up to date

The recent increase in attacks on third-party vendors highlights the importance of constantly updating and improving third-party risk management strategies. By regularly reviewing and enhancing these strategies, companies can stay ahead of potential threats and ensure the security of their customer data.

More from Data Protection

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Skills shortage directly tied to financial loss in data breaches

2 min read - The cybersecurity skills gap continues to widen, with serious consequences for organizations worldwide. According to IBM's 2024 Cost Of A Data Breach Report, more than half of breached organizations now face severe security staffing shortages, a whopping 26.2% increase from the previous year.And that's expensive. This skills deficit adds an average of $1.76 million in additional breach costs.The shortage spans both technical cybersecurity skills and adjacent competencies. Cloud security, threat intelligence analysis and incident response capabilities are in high demand. Equally…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today