Close Encounters of the Third (and Fourth) Party Kind

Cyber defenses are only as strong as the weakest link, and this report confirms that those links often reside deep within the digital supply chain. By analyzing data from over 230,000 organizations, we examine the widespread interdependence that enables large-scale security incidents. The research moves beyond direct vendors to quantify the “once-removed” risk of fourth-party relationships.

The scale of interconnectivity is overwhelming; for every direct third-party vendor, organizations typically have indirect relationships with 60 to 90 fourth parties. This means that even if you don’t run a specific vendor’s code, it is near certain that someone in your supply chain does. This report rewards the click by showing that half of all organizations are indirectly connected to at least 200 fourth parties that have suffered a breach in the last two years.

Furthermore, the security posture of the “company you keep” tends to be significantly lower than your own. First parties are 2x more likely to achieve an “A” rating, while their vendors are 5x more likely to exhibit poor security. By mapping these dependencies, organizations can finally answer “how big of a deal is this?” and begin automating vendor detection to get ahead of the risk.

Key Findings

• Universal Breach Proximity: 98% of organizations have a relationship with at least one third party that has experienced a breach within the last two years.
• The 90x Growth Multiplier: Organizations typically have indirect relationships with 60x to 90x more fourth parties than direct third-party vendors.
• Poor Posture Clusters: Organizations with a failing security grade themselves have fourth-party growth multipliers 10x higher than those with an “A” rating.
• Sector Interdependence: The Information Services sector maintains 2.5x the number of third parties than the overall industry average.
• Posture Decay: Third-party vendors are nearly 5x more likely to receive an “F” grade on their scorecard than the primary firms that monitor them.