
SecurityScorecard has released its 2025 Supply Chain Cybersecurity Trends Survey, and the results underscore a growing crisis.
According to the report, 88% of cybersecurity leaders are worried about supply chain cyber risks—a fear grounded in reality as third-party involvement in breaches has nearly doubled, climbing from 15% to almost 30% in the past year, per the 2025 Verizon Data Breach Investigations Report.
The risk comes from the fact that only a few providers handle most of the world’s technology and infrastructure. If even one of them is hacked, the impact can quickly spread and disrupt thousands of organizations simultaneously.
A classic example is the Salesforce-Salesloft drift data breach, which is believed to have impacted over 700 organizations.
“Supply chain cyberattacks are no longer isolated incidents; they’re a daily reality,” said Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard.
“Breaches persist because third-party risk management remains passive, built on assessments and compliance checklists instead of action. Static checks won’t stop dynamic threats—only integrated detection and response will.”
The Findings
- More than 70% of organizations reported at least one material third-party cybersecurity incident in the past year; 5% suffered ten or more.
- 79% admit less than half of their nth-party supply chain is covered by existing cybersecurity programs.
- Only 26% have embedded incident response into their supply chain security strategy.
- Nearly 40% cite data overload and the inability to prioritize threats as their top challenge.
What Needs to Change?
SecurityScorecard’s recommendations point to a shift from passive assessments to active defense. Organizations are urged to:
- Integrate threat intelligence across vendor ecosystems to spot ransomware and zero-day threats in real time.
- Establish supply chain incident response workflows with clear roles and tested processes to bridge gaps between risk teams and SOCs.
- Implement vendor tiering to focus on high-risk dependencies and single points of failure.
- Foster shared accountability across procurement, legal, operations, and leadership, embedding resilience into decision-making.