A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.

Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.

2023 industry recap: Largest third-party breaches in the energy sector

The energy sector faced significant challenges in 2023, marked by a notable rise in third-party data breaches. These incidents did more than just leak sensitive information — they also cast doubt on the industry’s security protocols. The breaches varied, but they resulted in financial losses, damaged reputations and eroded customer confidence.

Some of the key findings in this report included:

  • There were 264 reported breaches in the energy sector linked to third-party issues
  • All top 10 U.S. energy companies were included in confirmed third-party breaches
  • The MOVEit vulnerability was especially prevalent in the last six months, affecting numerous global energy companies
  • 33% of energy companies scored a C or lower in security, indicating a heightened breach risk.

This surge in breaches is prompting the sector to strengthen its security measures, potentially leading to stronger defenses against future incidents.

What’s causing the rise in third-party breaches?

When focused on expansion, energy companies often engage multiple third-party vendors for specialized services. These external partners, ranging from software to logistics providers, bring their unique security configurations to the table.

While these collaborations offer several benefits, they also open up new security loopholes. A compromised vendor system can act as a gateway for cyber criminals to penetrate a partner’s data network.

Another key factor in the rising incidence of cyber breaches is the energy sector’s push towards digitalization. The integration of technologies such as IoT devices, cloud computing and machine learning offers numerous advantages but also expands the attack surface.

As numerous energy companies prioritize growth, maintaining a thorough understanding of their supply chain’s security often takes a backseat. This shortfall in oversight can leave critical weak points undetected, posing a challenge in preemptively addressing vulnerabilities. These overlooked areas can become prime targets for cyber attackers looking to exploit these security gaps.

More on cyber risk management

What are the implications for critical infrastructure organizations?

Critical infrastructure entities must be vigilant about third-party breaches, as these incidents risk not only financial stability but also operational effectiveness and their public image.

Financial ramifications

The economic fallout from data breaches is substantial. The expenses can range from immediate outlays for detecting and fixing the breach to regulatory penalties and possible legal actions from those impacted. A recent report by IBM on the cost of data breaches in 2023 reveals that the average financial hit from these types of incidents last year reached $4.45 million, marking a 15% rise in the past three years.

Effects on operations

A breach originating from a third party can severely disrupt operational processes. This might lead to periods of inactivity and decreased productivity. In extreme cases, organizations might find it necessary to completely suspend their operations to manage the situation. This halt in activity is particularly critical for organizations responsible for essential services like electricity, water and transportation, as it can lead to widespread societal effects.

Reputational damage

Apart from the financial and operational implications of third-party breaches, there are also risks to a company’s reputation. Trust is incredibly important, and when lost, it can be very hard to re-establish. This can cast doubts on the ability of an organization to protect sensitive information, which will affect its business growth in the future.

How are organizations addressing their third-party risk profile?

With the growing concern over third-party breaches, energy sector companies are not sitting idle and are implementing better security measures to safeguard against these threats. Below are some of the main tactics they’re using.

Exhaustive assessments of vendors and supplier risk management

A thorough vendor evaluation should be conducted to mitigate third-party risk. This step is essential to ensure that partners’ security protocols and practices measure up to the company standards. It includes an assessment of their security practices, such as data protection policies, incident response plans, compliance with regulations and financial standing.

Continuous auditing and monitoring of vendor systems

A vital component of third-party risk management involves the ongoing auditing and monitoring of external vendor systems and networks. This continuous oversight helps companies detect shifts in a vendor’s risk profile and identify potential threats more quickly. Utilizing real-time monitoring tools for immediate alerts on unusual activities and routine audits ensures that vendors consistently meet established security standards.

Safe data transfer methods and strategic network segmentation

In the regular course of business with third parties, safely sharing data is a critical concern. Companies are adopting secure data transfer protocols like data encryption, secure file transfer systems and strict access management.

Network segmentation is another vital strategy for diminishing third-party risk. It involves splitting the network into distinct segments, each safeguarded by specific security measures, localizing and limiting the impact of any potential breach.

Keep your third-party risk management strategies up to date

The recent increase in attacks on third-party vendors highlights the importance of constantly updating and improving third-party risk management strategies. By regularly reviewing and enhancing these strategies, companies can stay ahead of potential threats and ensure the security of their customer data.

More from Data Protection

Data residency: What is it and why it is important?

3 min read - Data residency is a hot topic, especially for cloud data. The reason is multi-faceted, but the focus has been driven by the General Data Protection Regulation (GDPR), which governs information privacy in the European Union and the European Economic Area.The GDPR defines the requirement that users’ personal data and privacy be adequately protected by organizations that gather, process and store that data. After the GDPR rolled out, other countries such as Australia, Brazil, Canada, Japan, South Africa and the UAE…

Data security posture management vs cloud security posture management

4 min read - “A data breach has just occurred”, is a phrase no security professional wants to hear. From the CISO on down to the SOC analysts, a data breach is the definition of a very bad day. It can cause serious brand damage and financial loss for enterprises, lead to abrupt career changes among security professionals, and instill fear of financial or privacy loss for businesses and consumers.According to an ESG report, 55% of data and workloads currently run or operate in…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today