A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.

Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.

2023 industry recap: Largest third-party breaches in the energy sector

The energy sector faced significant challenges in 2023, marked by a notable rise in third-party data breaches. These incidents did more than just leak sensitive information — they also cast doubt on the industry’s security protocols. The breaches varied, but they resulted in financial losses, damaged reputations and eroded customer confidence.

Some of the key findings in this report included:

  • There were 264 reported breaches in the energy sector linked to third-party issues
  • All top 10 U.S. energy companies were included in confirmed third-party breaches
  • The MOVEit vulnerability was especially prevalent in the last six months, affecting numerous global energy companies
  • 33% of energy companies scored a C or lower in security, indicating a heightened breach risk.

This surge in breaches is prompting the sector to strengthen its security measures, potentially leading to stronger defenses against future incidents.

What’s causing the rise in third-party breaches?

When focused on expansion, energy companies often engage multiple third-party vendors for specialized services. These external partners, ranging from software to logistics providers, bring their unique security configurations to the table.

While these collaborations offer several benefits, they also open up new security loopholes. A compromised vendor system can act as a gateway for cyber criminals to penetrate a partner’s data network.

Another key factor in the rising incidence of cyber breaches is the energy sector’s push towards digitalization. The integration of technologies such as IoT devices, cloud computing and machine learning offers numerous advantages but also expands the attack surface.

As numerous energy companies prioritize growth, maintaining a thorough understanding of their supply chain’s security often takes a backseat. This shortfall in oversight can leave critical weak points undetected, posing a challenge in preemptively addressing vulnerabilities. These overlooked areas can become prime targets for cyber attackers looking to exploit these security gaps.

More on cyber risk management

What are the implications for critical infrastructure organizations?

Critical infrastructure entities must be vigilant about third-party breaches, as these incidents risk not only financial stability but also operational effectiveness and their public image.

Financial ramifications

The economic fallout from data breaches is substantial. The expenses can range from immediate outlays for detecting and fixing the breach to regulatory penalties and possible legal actions from those impacted. A recent report by IBM on the cost of data breaches in 2023 reveals that the average financial hit from these types of incidents last year reached $4.45 million, marking a 15% rise in the past three years.

Effects on operations

A breach originating from a third party can severely disrupt operational processes. This might lead to periods of inactivity and decreased productivity. In extreme cases, organizations might find it necessary to completely suspend their operations to manage the situation. This halt in activity is particularly critical for organizations responsible for essential services like electricity, water and transportation, as it can lead to widespread societal effects.

Reputational damage

Apart from the financial and operational implications of third-party breaches, there are also risks to a company’s reputation. Trust is incredibly important, and when lost, it can be very hard to re-establish. This can cast doubts on the ability of an organization to protect sensitive information, which will affect its business growth in the future.

How are organizations addressing their third-party risk profile?

With the growing concern over third-party breaches, energy sector companies are not sitting idle and are implementing better security measures to safeguard against these threats. Below are some of the main tactics they’re using.

Exhaustive assessments of vendors and supplier risk management

A thorough vendor evaluation should be conducted to mitigate third-party risk. This step is essential to ensure that partners’ security protocols and practices measure up to the company standards. It includes an assessment of their security practices, such as data protection policies, incident response plans, compliance with regulations and financial standing.

Continuous auditing and monitoring of vendor systems

A vital component of third-party risk management involves the ongoing auditing and monitoring of external vendor systems and networks. This continuous oversight helps companies detect shifts in a vendor’s risk profile and identify potential threats more quickly. Utilizing real-time monitoring tools for immediate alerts on unusual activities and routine audits ensures that vendors consistently meet established security standards.

Safe data transfer methods and strategic network segmentation

In the regular course of business with third parties, safely sharing data is a critical concern. Companies are adopting secure data transfer protocols like data encryption, secure file transfer systems and strict access management.

Network segmentation is another vital strategy for diminishing third-party risk. It involves splitting the network into distinct segments, each safeguarded by specific security measures, localizing and limiting the impact of any potential breach.

Keep your third-party risk management strategies up to date

The recent increase in attacks on third-party vendors highlights the importance of constantly updating and improving third-party risk management strategies. By regularly reviewing and enhancing these strategies, companies can stay ahead of potential threats and ensure the security of their customer data.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today