SecurityBrief Canada - Technology news for CISOs & cybersecurity decision-makers
Canada

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Interconnected cargo containers delivery trucks digital padlocks security concerns global supply chain
#
Ransomware
#
Advanced Persistent Threat Protection
#
SOC

Most firms unprepared for rising supply chain cyber threats

Yesterday
Author image
By Catherine Knowles, Journalist

A new report has found that 88% of cybersecurity leaders are concerned about supply chain cyber risks, with most organisations using supply chain risk management approaches that are not keeping pace with the threat landscape.

The 2025 Supply Chain Cybersecurity Trends Survey, published by SecurityScorecard, draws on responses from nearly 550 CISOs and security professionals worldwide. The report highlights a significant increase in breaches involving third parties and a concentration of risk across technology and infrastructure providers.

Increasing third-party risks

According to the survey, third-party involvement in security breaches has doubled, with incidents rising from 15% to nearly 30%, as also detailed in the 2025 Verizon Data Breach Investigations Report. The reliance on a small group of external providers has resulted in what the report describes as an "extreme concentration of risk," with the potential for a single provider's compromise to affect thousands of organisations at once.

Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard, addressed the evolving nature of these risks by stating:

Supply chain cyberattacks are no longer isolated incidents; they're a daily reality. Yet breaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action. This outdated approach fails to operationalize the insights it gathers. What's needed is a shift to active defense: supply chain incident response capabilities that close the gap between third-party risk teams and security operations centers, turning continuous monitoring and threat intelligence into real-time action. Static checks won't stop dynamic threats—only integrated detection and response will.

Survey findings

The report details several key statistics. More than 70% of organisations reported experiencing at least one material third-party cybersecurity incident in the past year, while 5% said they had suffered ten or more such incidents.

Coverage of nth-party risk remains low, with fewer than half of organisations monitoring cybersecurity across even half of their supply chain tiers. A substantial 79% reported that less than half of their nth-party supply chain is covered by cybersecurity programmes. Only 26% of organisations include incident response in their supply chain cybersecurity frameworks, with most relying on periodic vendor assessments or cyber insurance instead.

Respondents cited difficulty managing large volumes of data and prioritising issues as a major challenge, with 40% identifying this as their leading concern.

Recommendations for supply chain security

The findings led to several recommendations for organisations seeking to strengthen supply chain cyber risk management. SecurityScorecard advises integrating threat intelligence throughout the vendor ecosystem, allowing for real-time identification and assessment of risks such as ransomware and zero-day threats.

The report also suggests the establishment of a dedicated supply chain incident response workflow. This would include clear role definitions and communication pathways, with regular testing and refinement of processes as part of a broader incident response strategy.

Additionally, implementing vendor tiering is advised, prioritising high-risk dependencies and identifying single points of failure to enable more targeted mitigation.

The report emphasises the need for a shared approach across business functions. Apportioning responsibility for supply chain cybersecurity beyond the remit of IT teams alone, organisations are encouraged to embed security considerations into procurement, legal, operations, and leadership decision-making.

Research methodology

The findings are derived from survey responses by 546 IT Directors and above, hailing from a range of industries and representing businesses with annual revenue from under $200 million to more than $5 billion. The research focused on quantitative analysis, with qualitative insights also provided by participants.

SecurityScorecard's report underlines that attackers seek to exploit any single vulnerability within increasingly interconnected supply chains, while defenders must strive to secure all connections within often complex vendor networks.

The report concludes that a transition to integrated, proactive supply chain monitoring and response is necessary to address persistent gaps between risk assessments and operational security outcomes.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Gigamon set to lead deep observability with 52 percent share by 2025
Sumsub & Data Zoo partner to boost global fraud prevention
Three-quarters of building systems exposed to cyber risks
KnowBe4 integrates with Microsoft to boost email threat defence
Barracuda launches managed vulnerability security for stronger cyber resilience

Top stories

KnowBe4, Microsoft partner to enhance email security with AI
Milestone & Genoa launch EU-compliant AI for smart cities
Snyk acquires Invariant Labs to boost AI-native app security
Veeam & HPE deepen partnership to boost enterprise data resilience
Bitdefender unveils EASM for proactive attack surface security