Supply Chain Cyber Risks Surge Amid Rising Global Threats

Cybersecurity is no longer just an IT issue—it’s now deeply intertwined with supply chain resilience.

As geopolitical tensions intensify and technology evolves rapidly, the complexity of managing cyber risks escalates.

Organisations are grappling with sophisticated threats, expanding regulatory demands and fragile supply networks, all while facing a widening cyber skills gap.

According to the World Economic Forum’s (WEF) latest report with Accenture, 'Global Cybersecurity Outlook 2025,' a striking 54% of large organisations identify supply chain challenges as the biggest barrier to achieving cyber resilience.

This highlights a shift in focus from traditional security concerns to the vulnerabilities embedded within global supply chains.

The increasing complexity of these supply chains, combined with limited visibility into suppliers’ security measures, has made them prime targets for cyberattacks.

The risks aren’t confined to direct partners—they extend to third-party software vulnerabilities and the potential for attacks to ripple across entire ecosystems.

The global IT outage of 2024, the largest in history, exposed the fragility of this interconnectedness. The incident affected airlines, banks, healthcare systems, retailers and ATMs worldwide, leading to an estimated US$5bn in losses. It highlighted the systemic risks tied to reliance on a small number of critical providers.

Cyber threats continue to escalate, with 72% of respondents to the WEF’s survey reporting an increase in cyber risks. The rise in ransomware, AI-enhanced attacks such as phishing and deep-fakes and the growing frequency of supply chain breaches reflect a rapidly evolving threat landscape.

Amin Nasser, President and CEO of Aramco, sums it up: “As digitalisation advances, cyber threats are becoming increasingly complex, particularly as interdependencies across third-party supply chains and broader ecosystems grow.

"Cyber attackers need only succeed once to cause significant harm, while our collective defences... must be robust and cohesive at all times.”

Third-party risks: The visibility challenge

One of the biggest hurdles organisations face in securing their supply chains is the lack of visibility across third-party relationships.

A focus group at the 2024 Annual Meeting on Cybersecurity revealed that 41% of participants consider improving visibility into third-party dependencies as the top priority for enhancing supply chain cyber resilience.

However, enforcing security standards across a diverse range of third-party suppliers is increasingly difficult.

The WEF’s survey supports this, with 48% of Chief Information Security Officers (CISOs) citing third-party compliance as the main challenge in implementing cyber regulations effectively.

The challenge is compounded by differing baseline security requirements across industries, making it tough to enforce consistent standards throughout complex supply chains.

Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, explains: “Risk reduction associated with software supply chains has a level of complexity based on the use of open-source software (OSS) or AI tooling. Treating OSS and AI sources of code the same way... ignores the reality that with OSS, there can be many release origins.”

This highlights the need for robust risk assessment processes that cover all software origins, even those without direct business ties.

Moreover, the trend towards relying on a handful of critical providers introduces potential single points of failure.

A breach at one of these providers could have cascading effects, disrupting operations on a global scale. This risk was evident when a faulty update from CrowdStrike’s cloud-based security software triggered a worldwide IT outage.

While cloud services enhance security capabilities, they also create concentrated risks that organisations must proactively manage.

George Kurtz, CEO of CrowdStrike, highlights the importance of industry collaboration: “By enforcing standards, leveraging threat intelligence and equipping organisations of all sizes with more effective cybersecurity solutions, we can close gaps and fortify the ecosystem.”

Navigating regulation

Governments worldwide are responding to rising cyber threats with stricter regulations.

The EU’s NIS2 Directive sets higher cybersecurity standards, demanding improved incident reporting, stronger supply chain oversight and greater accountability at board level.

In the US, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates rapid disclosure of cyber incidents. Countries across the Asia-Pacific region, including Japan and Singapore, are also tightening their cyber laws, particularly for critical infrastructure operators.

Despite these regulatory efforts, navigating the complex landscape of overlapping requirements remains a challenge.

More than 69% of organisations in the WEF’s survey report difficulties with regulatory compliance, especially when verifying third-party adherence and managing diverse enforcement timelines. This “regulatory jigsaw puzzle” risks overwhelming businesses, potentially undermining the effectiveness of cybersecurity measures.

Despina Spanou, Cybersecurity Coordinator for the European Commission, emphasises the importance of international cooperation: “Solidarity among like-minded partners in cybersecurity is needed more than ever.”

To thrive in this environment, organisations must look beyond mere compliance. They need holistic risk management strategies that align cybersecurity with broader business objectives and foster cross-border collaboration.

Building true resilience requires proactive investment in security, clear accountability for software development practices and the agility to adapt to emerging threats.

As Meredith Whittaker, President of Signal, warns: “The LLMs currently in use are constitutively insecure... Integrating these models into critical infrastructure before such attack vectors are remedied is dangerous and needs to be re-evaluated.”

The message is clear: cybersecurity resilience isn’t just about defending against direct attacks.

It’s about understanding the hidden risks within supply chains, adapting to regulatory shifts and fostering a culture of collaboration to secure the digital ecosystem.

Explore the latest edition of Procurement Magazine and be part of the conversation at our global conference series, Procurement & Supply Chain LIVE.

Discover all our upcoming events and secure your tickets today.

Procurement Magazine is a BizClik brand.