An analysis of 136 unique major breaches involving third-parties affecting 710 companies, published this week by Black Kite, finds approximately 26,000 additional organizations were impacted, affecting as many as 433 million individuals.

Ferhat Dikbiyik, chief research and intelligence officer for Black Kite, said the analysis shines a spotlight on the fact that the actual blast radius of a breach is much broader than generally appreciated given how interconnected most organizations actually are.

On average, the report finds there were 5.28 downstream victims per third-party breach, mainly because threat actors target shared platforms, centralized services, and organizations that have high dependencies on multiple vendors, noted Dikbiyik. As workflows become more integrated, the overall size of the blast radios of any given breach continues to expand, he added.

More challenging still, there is a significant visibility gap. The report finds that while the median time to detect an intrusion was 10 days, the median delay to disclose that breach to the public was 73 days. That delay creates a massive transfer of risk to the unsuspecting downstream customer, noted Dikbiyik.

Additionally, the report notes that of the nearly 200,000 organizations monitored by Black Kite, more than 54% have at least one critical vulnerability, while 23% have corporate credentials circulating on the dark web. As such, more organizations should be investing in continuous testing to ensure supply chains have not been compromised, added Dikbiyik

In general, adversaries are now specifically targeting midsized companies that are usually part of a larger ecosystem, he added. While many cyberattacks are clearly opportunistic, a higher percentage are now being launched after adversaries have spent time researching the relationships between specific vendors, noted Dikbiyik.

Many of those attacks are being specifically aimed at manufacturing companies that are often reluctant to take machines offline in order to apply a patch that would otherwise have prevented a breach from occurring in the first place, he added.

In fact, most of the attacks being launched could be thwarted simply by following best patch management practices and implementing multifactor authentication, said Dikbiyik.

Unfortunately, cyberattacks are also becoming more sophisticated in the age of artificial intelligence (AI). Phishing attacks especially are becoming much more challenging to detect. Some adversaries have even gone so far as to set up AI chatbots to conduct ransomware negotiations, noted Dikbiyik.

Cybersecurity teams, meanwhile, are now also investing in AI to thwart these attacks but at the moment it appears adversaries are adopting AI to augment their capabilities faster than many defenders, he added. It may only be a question of time before that playing field becomes more level, but in the short term irsk levels are rising, added Dikbiyik.

Each organization in the wake of the all but inevitable breach will need to determine what level of notification is required. However, cybersecurity teams might want to assume that whenever a supplier is breached they are impacted even if they never receive formal notification. Hopefully, there will come a day when cybersecurity assessments are more rigorously conducted to better protect supply chains but in the meantime it should be assumed that there is always a link that is much weaker than it appears.