SecurityScorecard released its 2025 Supply Chain Cybersecurity Trends Survey, revealing that 88% of cybersecurity leaders are concerned about supply chain cyber risks. Based on insights from nearly 550 CISOs and security professionals worldwide, the findings reveal that the way most organizations manage supply chain cyber risk isn’t keeping pace with expanding threats.
Third-party involvement in breaches has doubled, rising from 15% to nearly 30%, according to the 2025 Verizon Data Breach Investigations Report. A small group of third-party providers now supports much of the world’s technology and infrastructure, creating an extreme concentration of risk. When even one of these providers is compromised, the ripple effects can disrupt thousands of organizations simultaneously. Attackers understand this leverage, making the supply chain an increasingly attractive entry point. Each vendor relationship expands the potential attack surface. The asymmetry is stark: defenders must secure every connection across their third- and nth-party networks, while attackers need only exploit a single vulnerability to gain access.
Cyber Technology Insights : European Cybersecurity Leader Heimdal Partners with Montreal’s Fusion Cyber Group
Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard, said: “Supply chain cyberattacks are no longer isolated incidents; they’re a daily reality. Yet breaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action. This outdated approach fails to operationalize the insights it gathers. What’s needed is a shift to active defense: supply chain incident response capabilities that close the gap between third-party risk teams and security operations centers, turning continuous monitoring and threat intelligence into real-time action. Static checks won’t stop dynamic threats—only integrated detection and response will.”
Key Findings:
More than 70% of organizations report experiencing at least one material third-party cybersecurity incident in the past year, and 5% suffered ten or more incidents.
Fewer than half of organizations monitor cybersecurity across even 50% of their nth-party supply chains, and 79% say that less than half of their nth-party supply chain is currently covered by cybersecurity programs.
Only 26% of organizations incorporate incident response into their supply chain cybersecurity programs. The majority rely on point-in-time, vendor-supplied assessments or cyber insurance.
88% of respondents say they are concerned about supply chain cybersecurity risks.
Nearly 40% of respondents cite data overload and the inability to prioritize issues and threats as their biggest supply chain cybersecurity challenge.
Cyber Technology Insights : Lumu 2025 Report Reveals Top Trends in Evasion, Malware, and Phishing Attack Vectors
Cybersecurity Recommendations for Managing Supply Chain Cyber Risk
Based on the survey findings, the SecurityScorecard offers these targeted recommendations for security teams:
Integrate Threat Intelligence Across Vendor Ecosystems: To stay ahead of active campaigns targeting the supply chain, organizations should connect threat intelligence feeds to their vendor risk management workflows. This integration enables teams to identify threats like ransomware or zero-day exploits in real time and assess their potential impact on the broader ecosystem.
Establish a Dedicated Supply Chain Incident Response Workflow: Organizations should define roles, responsibilities and communication pathways across teams to ensure that risks identified in the supply chain are resolved quickly and consistently. These processes should be regularly tested and refined as part of a broader incident response strategy.
Implement Vendor Tiering: Not all vendors or risks carry equal weight. Security teams should prioritize based on potential business impact, likelihood of exploitation and criticality to operations. Mapping the supply chain to identify high-risk dependencies and single points of failure allows for more strategic allocation of resources and focused risk mitigation efforts.
Foster a Culture of Shared Accountability and Resilience: Supply chain cybersecurity isn’t just a risk or IT issue. It requires collaboration across procurement, legal, operations and leadership. Embed security into decision-making processes, align on resilience goals and ensure teams are educated and measured against clear, shared metrics.
Cyber Technology Insights : MSI Launches Cyber Insurance Program for Managed Care Organizations
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: businesswire
