Seven in Ten Companies Say Supply Chain Cyber Risk Is a Major Worry
Summary
A global ISC2 survey of 1,062 cybersecurity professionals finds 70% of organisations are highly concerned about supply chain cyber risk. Concern is higher in larger and sensitive sectors — 82% in enterprise firms and 81% in the military and defence contractors; healthcare reports 67% concern.
The dominant issue is lack of visibility into third-party and extended-vendor security practices — in short: organisations often “trust but can’t verify.” Twenty-eight percent reported a third-party cyber incident in the past two years (34% in enterprise, 37% in financial services). While nearly half of supplier incidents caused no major customer impact, many were close calls that raised alarms.
Threats respondents worry most about include data breaches (64%), malware/ransomware (52%), supplier product software vulnerabilities (51%) and unauthorised access via third-party credentials (37%). Insider threats from vendors and risks from AI tool misuse were also flagged.
Most organisations run at least annual risk assessments and 77% require vendors to meet recognised standards (ISO 27001, NIST, SOC 2, etc.). Common controls being strengthened are stricter onboarding, security audits, MFA and incident notification procedures. Still, about 10% have no formal supply chain risk programme yet.
Article Date: 2025-11-20T06:08:00-05:00
Key Points
- 70% of organisations say supply chain cyber risk is a major concern; the figure rises in enterprise and defence sectors.
- Limited visibility into vendors’ and vendors’ vendors’ security practices is the top worry — “you can’t protect what you can’t see.”
- 28% experienced a third-party-related cyber incident in the past two years; higher in enterprise and financial services.
- Top threats: data breaches (64%), malware/ransomware (52%), software vulnerabilities in supplier products (51%) and unauthorised access from third-party credentials (37%).
- 77% of organisations require vendor security standards (ISO 27001, NIST, SOC 2); organisations are adding audits, MFA and incident notification procedures.
- Around 10% still lack a formal supply chain risk programme — many are only just starting to build one.
Why should I read this?
Short version: if you touch procurement, IT, security or supply chain operations, this is your wake-up call. The survey shows peers are worried and actually doing things (standards, audits, MFA). Read it to see where your organisation stacks up, what the common fixes are, and which gaps — visibility and vendor controls — keep cropping up. We’ve skimmed the report for you so you don’t have to dig through every chart.
Context and Relevance
Supply chains remain a prime attack surface as businesses outsource more services and rely on complex vendor ecosystems. This ISC2 data underlines a growing industry trend: cyber risk is no longer just an IT problem but a supply chain and business-continuity priority. The findings are directly relevant to risk teams, procurement, auditors and senior leaders setting vendor governance and resilience strategies.