Seven in ten cybersecurity professionals say their organization is highly concerned about supply chain cyber risk, according to a new global survey by ISC2. The findings show that most companies still struggle to see what is happening across their third-party vendors and partners, and that lack of visibility is now one of the top worries across the digital supply chain.
In the survey of 1,062 cybersecurity professionals, 70% said their organization is highly concerned about supply chain cybersecurity risk, with concern rising to 82% in enterprise companies and 81% in the military and military contractor sectors. Healthcare is also feeling pressure, with 67% reporting high levels of concern.
The top issue across all sectors is visibility. Many respondents said they don’t know enough about their vendors’ cybersecurity practices or those of their vendors’ vendors. As one survey participant put it, the challenge is, “trust but can’t verify.”
The survey found that 28% of organizations experienced a cybersecurity incident involving a third-party vendor or supplier in the past 2 years. That number jumps to 34% among enterprise companies and 37% in financial services.
Not all incidents affected customers directly; 47% said supplier incidents caused no major impact, but many were close enough to raise concerns.
What worries companies most
- Data breaches (64%)
- Malware or ransomware (52%)
- Software vulnerabilities in supplier products (51%)
- Unauthorized access using third-party credentials (37%)
Respondents also pointed to insider threats from vendors and the growing impact of AI tools if supplier controls are weak.
How companies are responding
Most organizations conduct risk assessments at least once a year, and 77% now require vendors to meet standards such as ISO 27001, NIST, SOC 2, or similar. Others are adding stricter onboarding rules, security audits, MFA requirements, and incident notification procedures.
Still, 10% of organizations have no formal supply chain risk program in place, with some saying they are only now starting to build one.
The survey makes one point clear: visibility is now a supply chain priority, not just an IT task. As ISC2 notes, “you can’t protect what you can’t see.”
