Over 61% suffered supply chain breaches in the past year, with almost a third suffering operational disruption and financial loss as a result
Sixty per cent of surveyed U.K. and US cybersecurity leaders now admit that security risks originating from third parties and supply chain partners are “innumerable and unmanageable.” This is according to the latest The State of Information Security Report from IO (formerly ISMS.online), which reveals a growing disparity between cybersecurity confidence and reality.
A surprising 97 per cent of cybersecurity leaders said they were confident in their breach response, with 61 per cent describing themselves as “very confident.” Yet, that confidence contrasts drastically with 61 per cent of leaders who noted their organisation had suffered a third-party or supply chain attack in the past 12 months. This further exemplifies the widening “confidence gap”, as business leaders back their resilience while supply chain compromises continue to cause widespread damage.
Also Read: CIO Influence Interview with Liav Caspi, Co-Founder & CTO at Legit Security
Recent high-profile incidents, such as the Jaguar Land Rover attack, which disrupted production across multiple manufacturing plants, and the Collins Aerospace attack on its MUSE software, which grounded several European airports to a halt, highlight how supply chain compromises can quickly cascade far beyond their initial target.
Among those who suffered a third-party or supply chain attack, 38 per cent resulted in customer, employee or partner data breaches, 35 per cent suffered financial losses or unplanned costs (e.g. remediation, fines, legal fees), and 33 per cent faced temporary system outage or operational disruption. More than a third (36 per cent) of organisations that suffered a customer data breach said they had experienced customer or partner churn or loss of trust as a result, while 28 per cent faced heightened scrutiny from partners or suppliers.
“Cybersecurity leaders clearly recognise the importance of supply chain security, but many still underestimate how complex and interdependent modern supply networks have become,” said Chris Newton-Smith, CEO of IO. “This confidence needs to be matched by continuous action to avoid the domino effect across networks, impacting customer trust, finances, and operations.”
Despite the growing risk, only 23 per cent of all respondents ranked supply chain compromise among their top emerging threats, placing it below AI misuse, misinformation, and phishing. This suggests that while investment is rising, supply chain risk is still underestimated relative to its potential impact.
While this year’s report focuses on the broader supply chain, it still underscores the disproportionate vulnerability of small and mid-sized businesses. Of those cybersecurity leaders within SMEs with up to 49 employees, 28 per cent reported supply chain disruption or cascading partner issues following a customer data breach, compared with 21 per cent of large enterprises. This suggests smaller firms are less able to contain the fallout of third-party incidents, often due to limited resources, smaller security teams, and fewer formal risk processes.
“Attackers increasingly see smaller suppliers as soft entry points into larger targets,” added Newton-Smith. “They may not be the ultimate p****, but they’re often the route into the larger organisations. Securing the entire supply chain is essential for national and commercial resilience.”
However, the research does demonstrate that investment in third-party and supply chain security is growing, as 64 per cent of organisations plan to increase spending in this area over the next year. This number drops to 45 per cent among smaller SMEs, who say budgets and investment will remain the same. Smaller firms are generally less likely to have a clear and well-communicated information security strategy, to invest in awareness training, or to strengthen crisis management and incident response capabilities, all key components of an effective resilience plan.
Encouragingly, 80 per cent of organisations have already strengthened third-party and vendor risk management practices in the last 12 months or longer than 12 months, with a further 17 per cent planning to do so in the next 12 months. Meanwhile, 21 per cent of leaders list strengthening vendor and third-party risk management among their top cybersecurity priorities for the next 12 months, reflecting a clear shift toward long-term resilience planning.
“Supply chain resilience is now one of the top security priorities for the year ahead, but this needs to be embedded within the organisation. To close the confidence gap, leaders must focus on people and process, putting strategies in place to ensure compliance and build a culture of security and resilience across the chain to avoid any weak links”, Newton-Smith added.
Catch more CIO Insights: The CIO as AI Ethics Architect: Building Trust In The Algorithmic Enterprise
[To share your insights with us, please write to psen@itechseries.com ]
