New data from the 2025 Supply Chain Cybersecurity Trends Survey by SecurityScorecard shows that cyberattacks involving third-party vendors have nearly doubled year over year, growing from 15% to almost 30% of breaches. This trend, also reflected in Verizon’s 2025 Data Breach Investigations Report, highlights how digital interconnectedness has turned suppliers and partners into high-stakes liabilities.
Third-Party Breaches Now Widespread
A key driver of this vulnerability is vendor concentration. Many enterprises rely on a narrow group of cloud, infrastructure, or software providers, creating what SecurityScorecard describes as “extreme concentration of risk.” A breach at a single service provider can cascade through thousands of customer environments. Yet only 26% of organizations have embedded incident response protocols into their supply chain security frameworks, leaving most companies exposed during critical failure windows.
SecurityScorecard’s Field Chief Threat Intelligence Officer, Ryan Sherstobitoff, said in an official statement that passive risk management models, based on static checklists and delayed assessments, are no longer fit for purpose. Instead, he called for a shift toward active defense strategies that bridge the gap between vendor risk and real-time threat operations.
Low Visibility and Data Overload Undermine Readiness
Despite awareness of the growing threat, most companies lack visibility into the deeper layers of their supply base. The report shows that only 21% of surveyed organizations apply cybersecurity oversight to more than half of their extended (or “nth-party”) supply chain, while 79% acknowledge major blind spots.
Even at the primary supplier level, maturity gaps persist. Over 70% of companies experienced at least one third-party breach in the past 12 months, and 5% faced 10 or more such incidents. Yet the dominant approach to risk remains fragmented, driven by insurance policies, vendor audits, and limited programmatic coverage. Respondents cited data volume and issue prioritization as core challenges, with 40% ranking this as the top barrier to progress.
The report offers concrete steps for improvement, including implementing vendor tiering to prioritize high-risk partners, establishing formalized incident response workflows with cross-functional clarity, and embedding threat intelligence directly into procurement and legal functions, not just security teams.
Rethinking Where Cyber Risk Really Lives
The next frontier in supply chain cybersecurity isn’t technological, it’s organizational. Too often, companies isolate responsibility within IT, overlooking the operational choices that expose them to risk long before a breach occurs. How suppliers are selected, how contracts are structured, and how dependencies are mapped all shape the threat surface. Closing the gap won’t come from better dashboards alone, but from embedding cybersecurity judgment into everyday commercial decisions, long before a risk becomes an incident.
