Most firms unprepared for rising supply chain cyber threats
The 2025 Supply Chain Cybersecurity Trends Survey, published by SecurityScorecard, draws on responses from nearly 550 CISOs and security professionals worldwide. The report highlights a significant increase in breaches involving third parties and a concentration of risk across technology and infrastructure providers.
Increasing third-party risks
According to the survey, third-party involvement in security breaches has doubled, with incidents rising from 15% to nearly 30%, as also detailed in the 2025 Verizon Data Breach Investigations Report. The reliance on a small group of external providers has resulted in what the report describes as an "extreme concentration of risk," with the potential for a single provider's compromise to affect thousands of organisations at once.
Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard, addressed the evolving nature of these risks by stating: Supply chain cyberattacks are no longer isolated incidents; they're a daily reality. Yet breaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action. This outdated approach fails to operationalize the insights it gathers. What's needed is a shift to active defense: supply chain incident response capabilities that close the gap between third-party risk teams and security operations centers, turning continuous monitoring and threat intelligence into real-time action. Static checks won't stop dynamic threats—only integrated detection and response will.
Survey findings
The report details several key statistics. More than 70% of organisations reported experiencing at least one material third-party cybersecurity incident in the past year, while 5% said they had suffered ten or more such incidents.
Coverage of nth-party risk remains low, with fewer than half of organisations monitoring cybersecurity across even half of their supply chain tiers. A substantial 79% reported that less than half of their nth-party supply chain is covered by cybersecurity programmes. Only 26% of organisations include incident response in their supply chain cybersecurity frameworks, with most relying on periodic vendor assessments or cyber insurance instead.
Respondents cited difficulty managing large volumes of data and prioritising issues as a major challenge, with 40% identifying this as their leading concern.
Recommendations for supply chain security
The findings led to several recommendations for organisations seeking to strengthen supply chain cyber risk management. SecurityScorecard advises integrating threat intelligence throughout the vendor ecosystem, allowing for real-time identification and assessment of risks such as ransomware and zero-day threats.
The report also suggests the establishment of a dedicated supply chain incident response workflow. This would include clear role definitions and communication pathways, with regular testing and refinement of processes as part of a broader incident response strategy.
Additionally, implementing vendor tiering is advised, prioritising high-risk dependencies and identifying single points of failure to enable more targeted mitigation.
The report emphasises the need for a shared approach across business functions. Apportioning responsibility for supply chain cybersecurity beyond the remit of IT teams alone, organisations are encouraged to embed security considerations into procurement, legal, operations, and leadership decision-making.
Research methodology
The findings are derived from survey responses by 546 IT Directors and above, hailing from a range of industries and representing businesses with annual revenue from under $200 million to more than $5 billion. The research focused on quantitative analysis, with qualitative insights also provided by participants.
SecurityScorecard's report underlines that attackers seek to exploit any single vulnerability within increasingly interconnected supply chains, while defenders must strive to secure all connections within often complex vendor networks.
The report concludes that a transition to integrated, proactive supply chain monitoring and response is necessary to address persistent gaps between risk assessments and operational security outcomes.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
03-07-2025
- Techday NZ
Ransomware threats surge as phishing grows, damages may hit $275 billion
KnowBe4 has highlighted the growing threat posed by ransomware, particularly through social engineering tactics, urging organisations to strengthen their human defences during Ransomware Awareness Month. Recent research from KnowBe4 indicates a 57.7% increase in ransomware payloads delivered through phishing attacks between 1 November 2024 and 15 February 2025 when compared to the previous three months. This finding emphasises the significance of phishing as a primary method for ransomware to gain initial access to organisational systems. The impact of ransomware on organisations remains severe, with global damages forecasted to reach USD $275 billion annually by 2031. Data from the 2025 Verizon Data Breach Investigations Report further reveals that ransomware was involved in 44% of all analysed breaches, a marked rise from 31% in the prior year. Social engineering, and phishing specifically, has been increasingly exploited by cybercriminals to distribute ransomware. KnowBe4 notes that as these attack methods evolve, organisations must focus on mitigating the human risk inherent to their operations. Five steps to reduce risk To support efforts to minimise ransomware exposure, KnowBe4 has outlined five strategies for organisations to bolster their human layer of defence: First, organisations are encouraged to tailor cybersecurity training by role. Providing timely, role-specific and personalised training helps address the unique threats and responsibilities of different departments, which can lead to a reduction in employee behaviours often targeted by ransomware attackers. Second, running realistic phishing simulations is recommended. Regular simulations model current threat tactics, which can assist in building employees' critical thinking skills and foster instinctive resistance to phishing-based ransomware attacks. Third, promoting a no-blame reporting culture is suggested. Encouraging employees to immediately report any suspicious emails or activities, regardless of whether they have made an error, enables more effective and quicker ransomware response and containment. Fourth, maintaining a focus on ransomware awareness is essential. Organisations should run continuous awareness campaigns, utilising ongoing reminders, visuals, and regular communication, so that ransomware threats remain prominent and vigilance across the workforce is reinforced. Finally, deploying advanced anti-phishing technology can complement human defences. Solutions powered by artificial intelligence and machine learning are increasingly able to identify and neutralise sophisticated phishing attacks, including those carrying zero-day ransomware payloads, often before they reach employee inboxes. Social engineering and workforce vigilance As ransomware attacks rise in prevalence and sophistication, KnowBe4 is calling attention to the important role social engineering plays in making organisations susceptible to compromise. "Ransomware remains one of the largest cyber threats an organization can face–and it all starts with social engineering," said Roger Grimes, Data-Driven Defence Evangelist at KnowBe4. "As reports continue to highlight the varied forms of phishing as the most prevalent access vector for ransomware-related attacks, organizations must prioritize reducing human risk first and foremost. This Ransomware Awareness Month, it is crucial for every organization to understand their strongest defense against ransomware is actually their workforce." The escalation in both the volume and the impact of ransomware cases through 2025 points to the critical need for organisations to address human factors in their cybersecurity strategies. The combination of tailored training, realistic testing, supportive internal cultures, ongoing awareness campaigns, and advanced technical defences forms a comprehensive approach against social engineering-led ransomware attacks.
Techday NZ
26-06-2025
- Techday NZ
Most firms unprepared for rising supply chain cyber threats
A new report has found that 88% of cybersecurity leaders are concerned about supply chain cyber risks, with most organisations using supply chain risk management approaches that are not keeping pace with the threat landscape. The 2025 Supply Chain Cybersecurity Trends Survey, published by SecurityScorecard, draws on responses from nearly 550 CISOs and security professionals worldwide. The report highlights a significant increase in breaches involving third parties and a concentration of risk across technology and infrastructure providers. Increasing third-party risks According to the survey, third-party involvement in security breaches has doubled, with incidents rising from 15% to nearly 30%, as also detailed in the 2025 Verizon Data Breach Investigations Report. The reliance on a small group of external providers has resulted in what the report describes as an "extreme concentration of risk," with the potential for a single provider's compromise to affect thousands of organisations at once. Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard, addressed the evolving nature of these risks by stating: Supply chain cyberattacks are no longer isolated incidents; they're a daily reality. Yet breaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action. This outdated approach fails to operationalize the insights it gathers. What's needed is a shift to active defense: supply chain incident response capabilities that close the gap between third-party risk teams and security operations centers, turning continuous monitoring and threat intelligence into real-time action. Static checks won't stop dynamic threats—only integrated detection and response will. Survey findings The report details several key statistics. More than 70% of organisations reported experiencing at least one material third-party cybersecurity incident in the past year, while 5% said they had suffered ten or more such incidents. Coverage of nth-party risk remains low, with fewer than half of organisations monitoring cybersecurity across even half of their supply chain tiers. A substantial 79% reported that less than half of their nth-party supply chain is covered by cybersecurity programmes. Only 26% of organisations include incident response in their supply chain cybersecurity frameworks, with most relying on periodic vendor assessments or cyber insurance instead. Respondents cited difficulty managing large volumes of data and prioritising issues as a major challenge, with 40% identifying this as their leading concern. Recommendations for supply chain security The findings led to several recommendations for organisations seeking to strengthen supply chain cyber risk management. SecurityScorecard advises integrating threat intelligence throughout the vendor ecosystem, allowing for real-time identification and assessment of risks such as ransomware and zero-day threats. The report also suggests the establishment of a dedicated supply chain incident response workflow. This would include clear role definitions and communication pathways, with regular testing and refinement of processes as part of a broader incident response strategy. Additionally, implementing vendor tiering is advised, prioritising high-risk dependencies and identifying single points of failure to enable more targeted mitigation. The report emphasises the need for a shared approach across business functions. Apportioning responsibility for supply chain cybersecurity beyond the remit of IT teams alone, organisations are encouraged to embed security considerations into procurement, legal, operations, and leadership decision-making. Research methodology The findings are derived from survey responses by 546 IT Directors and above, hailing from a range of industries and representing businesses with annual revenue from under $200 million to more than $5 billion. The research focused on quantitative analysis, with qualitative insights also provided by participants. SecurityScorecard's report underlines that attackers seek to exploit any single vulnerability within increasingly interconnected supply chains, while defenders must strive to secure all connections within often complex vendor networks. The report concludes that a transition to integrated, proactive supply chain monitoring and response is necessary to address persistent gaps between risk assessments and operational security outcomes.
Techday NZ
22-05-2025
- Techday NZ
Fintech sector faces mounting third-party security breach risks
SecurityScorecard has published new research indicating that almost 42% of data breaches impacting top fintech companies can be traced back to third-party vendors, with a further 12% linked to fourth-party exposures. The findings, drawn from an analysis of 250 leading fintech firms worldwide, highlight the systemic risks facing the financial sector's supply chain despite robust internal cybersecurity practices. The report, titled Defending the Financial Supply Chain: Strengths and Vulnerabilities in Top Fintech Companies, exposes a growing separation between strong internal controls and vulnerabilities introduced through external partners. Fintech companies emerged as the industry with the strongest overall security posture, registering a median score of 90 in SecurityScorecard's assessment. More than half (55.6%) achieved an "A" rating. However, these scores did not fully shield the industry from cyber intrusions. According to the report, 18.4% of analysed fintech companies experienced breaches that were publicly reported, and over a quarter of these organisations (28.2%) suffered multiple incidents. Technology products and services featured in 63.9% of third-party breaches, with file transfer software and cloud platforms identified as the primary points of compromise. Application security and DNS health deficiencies were noted as the most prevalent weaknesses within the sector. Nearly half of the firms (46.4%) scored the lowest in application security assessments. These weaknesses included unsafe redirect chains, misconfigured storage, and missing Sender Policy Framework (SPF) records. Ryan Sherstobitoff, Senior Vice President of SecurityScorecard's STRIKE Threat Research and Intelligence Unit, commented on the findings: "Fintech companies anchor global finance, but one exposed vendor can take down critical infrastructure. Third-party breaches aren't edge cases - they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms, and core financial infrastructure." The report highlights that the threat emanating from an organisation's indirect partners - referred to as fourth-party suppliers - now exceeds double the global average, making up 11.9% of incidents in the fintech sector. These risks underscore the complexity and depth of digital supply chains in financial technology. In response to its analysis, the SecurityScorecard STRIKE team issued a series of recommendations for fintech companies to bolster their cybersecurity defences across the supply chain ecosystem. Among the recommendations is the need to strengthen oversight of both third- and fourth-party risks. The team advises that, "Fintech companies should tier vendors based on exposure and breach history, not just spend or business value. Disclosing downstream dependencies and requiring incident notification clauses in contracts can reduce cascading risk from fourth-party breaches." Securing shared infrastructure and the technical tools that enable financial operations is also critical. The team states, "File transfer software, cloud storage platforms and customer communication tools were the most common vectors for third-party breaches. Fintechs must audit these integrations regularly and require partners to demonstrate secure implementation practices." Another key area is the remediation of deficiencies in application security and Domain Name System (DNS) settings. According to the report, "Nearly half of fintechs scored lowest in application security. Unsafe redirect chains, misconfigured storage and missing SPF records were common. Remediating these foundational weaknesses should be a priority, starting with customer-facing assets." The report also advises enforcing robust credential protection measures. It recommends, "Credential stuffing campaigns and typosquatting attacks impacted a majority of firms. Enforcing MFA, monitoring for reused credentials and taking down spoofed domains are essential to protect users and prevent cross-platform compromise." Finally, the research suggests that companies which have experienced multiple breaches should be considered higher-risk and subject to extra scrutiny. The report notes, "Companies with multiple breaches accounted for the majority of total incidents. Vendors with prior breach history, especially those with known third-party exposures, should face enhanced scrutiny during onboarding and renewals." The study encompassed a range of fintech segments, including firms specialising in payments, digital assets, neobanking, financial planning, and technology infrastructure. The companies involved were selected for their international presence, influence within the industry, and operational scale.
