SecurityScorecard Report Reveals 5 in 6 Organizations at Risk Due to Immature Supply Chain Security

Security leader reveals outdated strategies are creating a false sense of security

SecurityScorecard today released its 2025 Supply Chain Cybersecurity Trends Survey, revealing that 88% of cybersecurity leaders are concerned about supply chain cyber risks. Based on insights from nearly 550 CISOs and security professionals worldwide, the findings reveal that the way most organizations manage supply chain cyber risk isn’t keeping pace with expanding threats.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20250625237124/en/

Third-party involvement in breaches has doubled, rising from 15% to nearly 30%, according to the 2025 Verizon Data Breach Investigations Report. A small group of third-party providers now supports much of the world's technology and infrastructure, creating an extreme concentration of risk. When even one of these providers is compromised, the ripple effects can disrupt thousands of organizations simultaneously. Attackers understand this leverage, making the supply chain an increasingly attractive entry point. Each vendor relationship expands the potential attack surface. The asymmetry is stark: defenders must secure every connection across their third- and nth-party networks, while attackers need only exploit a single vulnerability to gain access.

Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard, said: “Supply chain cyberattacks are no longer isolated incidents; they’re a daily reality. Yet breaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action. This outdated approach fails to operationalize the insights it gathers. What’s needed is a shift to active defense: supply chain incident response capabilities that close the gap between third-party risk teams and security operations centers, turning continuous monitoring and threat intelligence into real-time action. Static checks won’t stop dynamic threats—only integrated detection and response will.”

Key Findings:

• More than 70% of organizations report experiencing at least one material third-party cybersecurity incident in the past year, and 5% suffered ten or more incidents.

• Fewer than half of organizations monitor cybersecurity across even 50% of their nth-party supply chains, and 79% say that less than half of their nth-party supply chain is currently covered by cybersecurity programs.

• Only 26% of organizations incorporate incident response into their supply chain cybersecurity programs. The majority rely on point-in-time, vendor-supplied assessments or cyber insurance.

• 88% of respondents say they are concerned about supply chain cybersecurity risks.

• Nearly 40% of respondents cite data overload and the inability to prioritize issues and threats as their biggest supply chain cybersecurity challenge.

Cybersecurity Recommendations for Managing Supply Chain Cyber Risk

Based on the survey findings, the SecurityScorecard offers these targeted recommendations for security teams:

• Integrate Threat Intelligence Across Vendor Ecosystems: To stay ahead of active campaigns targeting the supply chain, organizations should connect threat intelligence feeds to their vendor risk management workflows. This integration enables teams to identify threats like ransomware or zero-day exploits in real time and assess their potential impact on the broader ecosystem.

• Establish a Dedicated Supply Chain Incident Response Workflow: Organizations should define roles, responsibilities and communication pathways across teams to ensure that risks identified in the supply chain are resolved quickly and consistently. These processes should be regularly tested and refined as part of a broader incident response strategy.

• Implement Vendor Tiering: Not all vendors or risks carry equal weight. Security teams should prioritize based on potential business impact, likelihood of exploitation and criticality to operations. Mapping the supply chain to identify high-risk dependencies and single points of failure allows for more strategic allocation of resources and focused risk mitigation efforts.

• Foster a Culture of Shared Accountability and Resilience: Supply chain cybersecurity isn’t just a risk or IT issue. It requires collaboration across procurement, legal, operations and leadership. Embed security into decision-making processes, align on resilience goals and ensure teams are educated and measured against clear, shared metrics.

For more in-depth analysis and to download the report, visit: https://securityscorecard.com/research-reports/2025-supply-chain-cybersecurity-trends/

Methodology

This report is based on a quantitative analysis of survey responses from 546 IT Directors and above, whose roles involve cybersecurity. Respondents represent enterprise organizations from around the globe and in a variety of industries, reporting annual revenue ranging from under $200 million to over $5 billion. Open-ended responses were also collected from all participants to provide additional insight for the report, but this qualitative data was not analyzed.

About SecurityScorecard

SecurityScorecard created Supply Chain Detection and Response (SCDR), transforming how organizations defend against the fastest-growing threat vector—supply chain attacks. Our industry-leading security ratings serve as the foundation and core strength, while SCDR continuously monitors third-party risks using our factor-based ratings, automated assessments and proprietary threat intelligence, to resolve threats before they become breaches. MAX enables response and remediation capability, working through our service partners to protect the entire supply chain ecosystem while strengthening operational resilience, enhancing third-party risk management and mitigating concentrated risk.

Trusted by over 3,000 organizations—including two-thirds of the Fortune 100—and recognized as a trusted resource by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Backed by Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, NGP, Intel Capital and Riverwood Capital, SecurityScorecard delivers end-to-end supply chain cybersecurity that safeguards business continuity.

Learn more at securityscorecard.com or follow us on LinkedIn.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250625237124/en/