27 June 2025
A recent report shows that 88% of cybersecurity leaders are worried about supply chain cyber threats, yet most organizations’ risk management strategies are not keeping pace with the evolving threat landscape.
The 2025 Supply Chain Cybersecurity Trends Survey, published by SecurityScorecard, analyzes responses from nearly 550 CISOs and security professionals worldwide and highlights a sharp rise in third-party breaches and concentrated risks among key technology and infrastructure providers.
The survey indicates that incidents involving third-party vendors have doubled, increasing from 15% to nearly 30%, aligning with findings from the 2025 Verizon Data Breach Investigations Report. The heavy dependence on a limited number of external providers has created an "extreme concentration of risk," meaning that a breach at a single provider could impact thousands of organizations simultaneously.
"Supply chain attacks are no longer isolated — they are a daily threat. Yet, many organizations remain passive, relying on assessments and compliance checklists rather than proactive, operational security measures. We need a shift to active defense — integrated detection and response capabilities that turn continuous monitoring into immediate action. Static checks won’t stop dynamic threats,” said Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard.
More than 70% of organizations reported experiencing at least one significant third-party cybersecurity incident in the past year, while 5% experienced ten or more. Despite this, fewer than half monitor cybersecurity across half of their supply chain tiers, with 79% indicating that less than half of their extended supply chain is covered by cybersecurity programs. Only 26% include incident response within their supply chain security frameworks, often relying on periodic vendor assessments or cyber insurance instead.
A major challenge identified by respondents is managing the large volume of risk data and prioritizing issues, with 40% citing this as their primary concern.
SecurityScorecard recommends several measures to improve supply chain cybersecurity. These include integrating threat intelligence across vendor ecosystems for real-time risk detection, establishing dedicated supply chain incident response workflows with clear roles and communication channels, and regularly testing these processes.
The report also advises organizations to adopt vendor tiering, focusing on high-risk dependencies and identifying single points of failure for targeted mitigation. Furthermore, embedding security into broader business functions — such as procurement, legal, and operations — is emphasized, moving beyond IT-centric approaches to shared responsibility.
