Third-party breaches double, creating ripple effects across industries

Supply chain risks remain top-of-mind for the vast majority of CISOs and cybersecurity leaders, according to SecurityScorecard. Their findings reveal that the way most organizations manage supply chain cyber risk isn’t keeping pace with expanding threats.

The expanding web of vendors increases supply chain cyber risks

Third-party involvement in breaches has doubled, rising from 15% to nearly 30%, according to the 2025 Verizon DBIR. A small group of third-party providers supports much of the world’s technology and infrastructure, creating an extreme concentration of risk. When even one of these providers is compromised, the ripple effects can disrupt thousands of organizations simultaneously.

Attackers understand this leverage, making the supply chain an increasingly attractive entry point. Each vendor relationship expands the potential attack surface. The asymmetry is stark: defenders must secure every connection across their third- and nth-party networks, while attackers need only exploit a single vulnerability to gain access.

Despite obvious risks, most companies are not closely monitoring the deeper layers of their supply chain for cybersecurity threats. As a result, many organizations have little visibility or control over the very systems that keep their businesses running. This lack of protection is especially concerning as third-party breaches continue to rise.

At the very least, you would expect your third- and nth-party vendors to match your company’s security protocols. But that’s simply not the case. 62% of organizations say that less than half of the vendors in their supply chain ecosystem meet their company’s cybersecurity requirements.

“Supply chain cyberattacks are no longer isolated incidents; they’re a daily reality. Yet breaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action. This outdated approach fails to operationalize the insights it gathers,” said Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard.

Risk-reduction strategies may fall short

Resilience demands a complete supply chain cybersecurity approach, assessing third-party risks, continuous monitoring, threat mitigation, and incident response.

While some organizations already include incident response in their strategies, most lag behind. Few invest in preventive measures like formal vendor onboarding, simulations, or dedicated vendor-response plans with escalation paths. Too many still rely on one-off self-assessment questionnaires that offer only biased snapshots. Although most companies have basic risk management programs, the real challenge is enabling true, real-time incident response.

Data overload and threat prioritization

Most organizations say their Security operations center (SOC) plays a key role in third-party risk management (TPRM), either leading or sharing responsibility with risk teams. However, SOC teams are overwhelmed. Many report high stress, increased workloads, and understaffing.

When collaboration between SOC and TPRM teams breaks down, problems arise. SOC teams face data overload, making it hard to prioritize threats, and struggle with limited vendor engagement. Vendors often don’t respond to assessments, leaving SOC teams without the visibility they need to evaluate third-party risks.

“What’s needed is a shift to active defense: supply chain incident response capabilities that close the gap between third-party risk teams and security operations centers, turning continuous monitoring and threat intelligence into real-time action. Static checks won’t stop dynamic threats, only integrated detection and response will,” Sherstobitoff concluded.