- Supply chain attacks are becoming more frequent and more dangerous
- Many security teams are worried about the risks
- 70% of firms have suffered one or more attacks in the past year
A new survey from SecurityScorecard reveals that cybersecurity leaders are faced with serious supply chain and third party risks. The survey outlines that CISOs and security professionals all around the globe are struggling to keep up with the pace of expanding threats.
The software supply chain has become a worrying weak link for firms of all sizesas smaller software providers are difficult to assess and often don’t have the cybersecurity capabilities large organizations can afford – with cybercriminals choosing smaller software companies as a point of intrusion to gain access to larger firms.
A staggering 88% of respondents were either ‘very concerned’ or ‘somewhat concerned’ about supply chain cybersecurity risks, and with good reason too, since 70% say they have experienced one or more ‘material third-party cybersecurity incidents’, with 5% suffering 10 or more in the past year.
Persistent threats
Recent research suggests third party involvement in threats has doubled from 15% to 30% in recent months, and a growing dependence on digital technologies also means a growing dependence on third party software for all industries.
As such, organizations are tasked with stringent cybersecurity practices to keep themselves secure. But, not everyone is confident in their ability to do so, with only 26% of organizations incorporating supply chain security into their cybersecurity programs – most rely on ‘point-in-time, vendor-supplied assessments or cyber insurance.’
Cybersecurity can be overwhelming even for firms with powerful capabilities, and nearly 40% of respondents reported that data overload and issues with prioritizing threats are their biggest challenge.
“Supply chain cyberattacks are no longer isolated incidents; they’re a daily reality,” said Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard
“Yet breaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action. This outdated approach fails to operationalize the insights it gathers. What’s needed is a shift to active defense: supply chain incident response capabilities that close the gap between third-party risk teams and security operations centers, turning continuous monitoring and threat intelligence into real-time action. Static checks won’t stop dynamic threats—only integrated detection and response will.”