SecurityScorecard releases findings from the Supply Chain Cybersecurity Trends Survey.

2025-06-28

Insights from 549 CISOs and Security Professionals

Based on a survey by SecurityScorecard, which analyzed data from almost 549 cybersecurity leaders, nearly 88% of them are worried about supply chain risks. The study highlights that the current strategies to manage these risks may not be sufficient in today’s threat landscape.

Third-party involvement in security breaches has significantly increased from 15% to almost 30%. This is partly due to the limited number of third-party providers supporting global technology and infrastructure, as reported by the 2025 Verizon Data Breach Investigations Report.

SecurityScorecard suggests that supply chain attacks are more frequent than they were considered before, viewing them as a daily occurrence. However, breaches continue to occur because third-party risk management remains largely passive and fails to translate insights into actionable steps. Over 40% of organizations cite data overload as a major challenge in managing these risks.

The study reveals that over 70% of organizations experienced at least one significant cybersecurity incident last year, with 5% suffering from ten or more such incidents. Less than half of the companies actively monitor their third-party supply chains for cybersecurity issues.

Only 26% of organizations include incident response as part of their supply chain cybersecurity strategies. Instead, many rely on vendor-supplied assessments and cyber insurance policies despite the high concerns about risks among them.

To address these challenges, SecurityScorecard recommends integrating real-time threat intelligence feeds into vendor risk workflows to identify threats like ransomware or zero-day exploits quickly. Establishing a dedicated supply chain incident response process with clear roles and communication channels can enable swift, consistent actions during incidents.

Vendor tiering could help prioritize third-party providers based on their business impact, likelihood of exploitation, and operational criticality. Lastly, fostering cross-functional collaboration is essential for embedding security into procurement, legal, and operational decision-making processes to align teams around resilience goals and shared performance metrics.