Security leaders across the U.K. and U.S. say supply chain risks have grown beyond their control, with 60 per cent now describing third-party threats as “innumerable and unmanageable.” The findings come from IO’s latest State of Information Security Report.
Despite widespread concern, 97 per cent of cybersecurity leaders still express confidence in their organisation’s ability to respond to breaches — 61 per cent “very confident.” Yet that assurance contrasts sharply with the reality that 61 per cent reported experiencing a third-party or supply chain attack in the past 12 months.
Recent incidents underscore the systemic nature of such risks. The cyberattack on Jaguar Land Rover disrupted production across multiple manufacturing plants, while the compromise of Collins Aerospace’s MUSE software halted operations at several European airports. Both demonstrate how digital dependencies can ripple through entire networks.
Among those affected, 38 per cent suffered customer, employee, or partner data breaches. Thirty-five per cent incurred financial losses or unplanned costs such as remediation, fines, and legal fees, and one-third experienced temporary system outages or operational disruption. Over a third of organisations hit by data breaches reported customer or partner attrition, while 28 per cent said supplier scrutiny increased in the aftermath.
“Cybersecurity leaders clearly recognise the importance of supply chain security, but many still underestimate how complex and interdependent modern supply networks have become,” said Chris Newton-Smith, CEO of IO. “This confidence needs to be matched by continuous action to avoid the domino effect across networks, impacting customer trust, finances, and operations.”
Despite the impact, only 23 per cent of respondents listed supply chain compromise among their top emerging threats — ranking it below AI misuse, misinformation, and phishing. The imbalance suggests that many organisations still underestimate the potential reach of supplier-originating attacks.
The report also highlights disproportionate exposure among smaller companies. Twenty-eight per cent of cybersecurity leaders at businesses with up to 49 employees reported cascading partner issues after a customer data breach, compared with 21 per cent of large enterprises. IO’s analysis links this to resource constraints, smaller security teams, and less formalised risk processes.
“Attackers increasingly see smaller suppliers as soft entry points into larger targets,” Newton-Smith added. “They may not be the ultimate prize, but they’re often the route into the larger organisations. Securing the entire supply chain is essential for national and commercial resilience.”
Investment in third-party and vendor risk management is rising, with 64 per cent of organisations planning to increase spending in the next year. Among small and mid-sized enterprises, that figure falls to 45 per cent, with many expecting no budget change.
Encouragingly, 80 per cent of businesses have already strengthened vendor risk practices in the past year, and another 17 per cent intend to do so within the next 12 months. IO’s report suggests a growing recognition that resilience must extend beyond technology to include people, processes, and culture.
“Supply chain resilience is now one of the top security priorities for the year ahead,” Newton-Smith said. “To close the confidence gap, leaders must focus on people and process, putting strategies in place to ensure compliance and build a culture of security and resilience across the chain.”
