Based on insights from almost 550 CISOs and security professionals from around the world, the study reveals that the current methods that organisations use to manage risk are not keeping up with emerging threats.
Third-party involvement in breaches rose from 15% to nearly 30% due to the small number of third-party providers which support the world's tech and infrastructure, according to the 2025 Verizon Data Breach Investigations Report.
SecurityScorecard believes that supply chain attacks are no longer isolated incidents, but a daily occurrence. However, breaches persist as third-party risk management remains passive and fails to transform insights into action, with 40% of organisations citing data overload as a big challenge for them.
Key findings of the study show that over 70% of organisations experienced at least one material cybersecurity incident in the past year, with 5% suffering ten or more incidents. Less than half of organisations monitor cybersecurity across even 50% of their third-party supply chains.
Only 26% of organisations incorporate incident response into their supply chain cybersecurity programs, with the majority relying on point-in-time, vendor-supplied assessments or cyber insurance, even though 88% of them say they are concerned about risks.
SecurityScorecard offers some recommendations for tackling the risk associated with supply chain security. Organisations should integrate threat intelligence feeds into vendor risk workflows to detect threats like ransomware or zero-day exploits in real time. A dedicated supply chain incident response process with clear roles and communication paths ensures swift, consistent action.
Additionally, Vendor tiering may help prioritise based on business impact, likelihood of exploitation, and operational criticality. Finally, the company believes that fostering cross-functional collaboration embeds security into procurement, legal, and operational decisions, aligning teams around resilience goals and shared performance metrics.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now