Supply chain risks overwhelm cybersecurity leaders, report finds

New research has found that 60% of cybersecurity leaders in the UK and US consider security risks from third parties and supply chain partners to be "innumerable and unmanageable."

The findings are from The State of Information Security Report by IO, indicating a significant gap between perceived confidence in cybersecurity measures and actual resilience against supply chain threats. The research reveals that in the past year, 61% of organisations have experienced a supply chain breach, leading to substantial operational and financial consequences for many.

Operational disruption

According to the report, almost a third of those affected by supply chain breaches encountered operational disruption. Over a third suffered financial losses, which included spending on remediation, paying fines, or covering legal fees. The impact of these breaches has raised concerns about the vulnerabilities of interconnected businesses, especially following recent high-profile attacks.

Recent incidents, such as attacks on Jaguar Land Rover that disrupted production across its manufacturing operations, and an incident affecting Collins Aerospace's MUSE software, which caused disruption to several European airports, have highlighted the extent to which supply chain breaches can affect organisations far beyond the original target. There have also been breaches linked to service suppliers for retailers and airports, showing the broad public reach of such incidents.

Among the organisations that reported supply chain or third-party attacks, 38% said they had suffered breaches involving customer, employee or partner data, 35% experienced financial losses or unplanned costs, and 33% faced temporary system outages or disruption to business operations. For those that suffered data breaches affecting customer data, 36% said this resulted in customer or partner churn or a loss of trust, and 28% reported increased scrutiny from their partners or suppliers.

"Cybersecurity leaders clearly recognise the importance of supply chain security, but many still underestimate how complex and interdependent modern supply networks have become. This confidence needs to be matched by continuous action to avoid the domino effect across networks, impacting customer trust, finances, and operations," said Chris Newton-Smith, CEO of IO. 

Confidence gap

Despite the frequency and impact of supply chain attacks, the research found that only 23% of respondents ranked supply chain compromise among their top emerging threats. This places the risk below concerns such as AI misuse, misinformation, and phishing, which suggests that supply chain risk is still underestimated relative to its potential impact. The findings also show a striking 97% of cybersecurity leaders say they are confident in their breach response capabilities, with 61% saying they are "very confident," underlining the ongoing disparity between confidence and actual outcomes.

The report highlights that while investment in third-party and supply chain security is increasing, the awareness and perceived urgency around these risks remain limited. Nearly two-thirds (64%) of organisations plan to increase their spending in this area in the next year, but this intention is less pronounced among smaller firms, only 45% of which expect investment to rise.

Smaller businesses are shown to have vulnerabilities that larger enterprises may not face to the same extent. For example, among cybersecurity leaders at firms with up to 49 staff, 28% reported supply chain disruption or subsequent partner issues after a customer data breach, compared to 21% of large enterprises. Smaller organisations are generally less able to limit the impact of third-party incidents, often due to having fewer resources, smaller security teams, and less robust risk management processes.

"Attackers increasingly see smaller suppliers as soft entry points into larger targets. They may not be the ultimate prize, but they're often the route into the larger organisations. Securing the entire supply chain is essential for national and commercial resilience," added Newton-Smith. 

Investment and resilience

The research also highlights efforts being made to address these issues, with 80% of organisations having enhanced their third-party and vendor risk management practices in the last 12 months or longer, and a further 17% planning to do so in the next year. In addition, 21% of leaders identified strengthening vendor and third-party risk management as one of their top cybersecurity priorities for the coming 12 months.

Smaller companies, however, are less likely to have clearly defined and well-communicated information security strategies, invest in awareness training, or improve crisis management and incident response capabilities, which are all crucial components of building resilience. This leaves them potentially more exposed to both the initial and knock-on impacts of supply chain breaches.

"Supply chain resilience is now one of the top security priorities for the year ahead, but this needs to be embedded within the organisation. To close the confidence gap, leaders must focus on people and process, putting strategies in place to ensure compliance and build a culture of security and resilience across the chain to avoid any weak links", Newton-Smith added.