SPECIAL FEATURE | Global supply chain cyber risk grows despite higher spending, maturing defenses
The 2025 State of Supply Chain Defense report said that security and procurement executives across North America, Europe and Asia-Pacific, found that a majority of organizations were negatively impacted by at least one supply chain breach in the past year.
A vast majority of large organizations worldwide continue to suffer supply chain cyber incidents despite rising budgets and more mature third-party risk management programs, underscoring a widening gap between investment and real-world security outcomes, according to a new global study released in early 2026.
The 2025 State of Supply Chain Defense report, based on a survey of 1,800 senior technology, security and procurement executives across North America, Europe and Asia-Pacific, found that 97% of organizations were negatively impacted by at least one supply chain breach in the past year. The figure marks a sharp increase from 81% in 2024, even as spending on third-party risk management (TPRM) continued to climb and nearly half of surveyed organizations now consider their programs “established” or “optimized.”
Maturity without impact
The report shows that 46% of organizations globally now rate their TPRM programs as established or optimized, reflecting years of sustained investment in tools, monitoring and formal processes. Yet that maturity has not translated into fewer incidents. On average, organizations reported 3.7 supply chain cyber breaches in 2025, with 95% estimating that their TPRM budgets increased over the past 12 months.
Researchers point to internal organizational gaps as a central problem. Only 24% of respondents said senior leadership is briefed on third-party cyber risk on a monthly basis or more frequently, while 60% cited internal resistance, lack of cross-team collaboration or weak executive support as top barriers to program effectiveness.
“Program maturity does not guarantee effectiveness,” the report noted, warning that risk teams often operate in silos without sufficient authority or alignment to drive enterprisewide change.
Compliance over risk reduction
Another recurring theme is the dominance of compliance-driven motivations. Just 16% of organizations identified risk reduction as the primary driver of their supply chain security programs. Instead, cyber insurance requirements, contractual obligations and board mandates were the most commonly cited reasons for building TPRM capabilities.
While compliance is essential, the study argues that a box-checking mindset can create a false sense of security. Despite widespread adherence to regulatory and contractual requirements, nearly all respondents still experienced supplier-related cyber incidents. The report emphasizes that meaningful risk reduction would often achieve compliance outcomes anyway, but the reverse is not necessarily true.
Growing ecosystems, wider attack surfaces
Supply chain complexity is also accelerating the challenge. Ninety-six percent of surveyed organizations expect their third-party vendor ecosystems to grow in the next year, with healthcare projecting the fastest expansion at an average of 11%. As ecosystems scale, the attack surface expands faster than many organizations’ ability to monitor, prioritize and remediate risk.
More than half of respondents said 30% to 50% of their suppliers are considered “critical,” a signal that risk-tiering strategies may be too blunt to be effective. The report cautions that prioritizing vendors solely by contract value or operational importance often fails to account for data access, security posture and the potential for cascading failures.
Regional contrasts, APAC challenges
Regional results highlight stark contrasts. The U.S. and Canada lead globally in program maturity, with 54% of organizations reporting established or optimized TPRM programs, but still recorded a 99% breach impact rate and an average of 3.9 incidents per organization. The U.K., meanwhile, posted the highest average breach rate at 4.1 incidents despite relatively high investment levels.
Asia-Pacific showed the widest internal disparities. Singapore matched North American maturity levels at 60% and reported strong executive engagement, while the Philippines posted just 23% program maturity and saw 100% of organizations impacted by breaches. Across the region, integration with broader enterprise risk and governance, risk and compliance systems emerged as the top operational challenge.
Industry differences
By sector, defense organizations stood out as the most mature and strategically aligned, with 60% reporting optimized programs and 30% briefing senior leadership monthly or more. Even so, the sector still averaged 3.5 supply chain breaches, reflecting the sophistication of modern threats. Manufacturing and retail, by contrast, struggled with fragmented toolsets and low integration despite heavy investment in monitoring and assessments.
Healthcare showed signs of improvement, driven by stronger leadership engagement and rising budgets, but also faced one of the highest breach averages at 4.1 incidents, highlighting the pressure created by rapid digitalization and vendor growth.
Integration, collaboration seen as next steps
Despite the challenges, the report points to several positive trends. Forty-five percent of organizations now work directly with suppliers to remediate identified issues, signaling a shift from passive monitoring toward more collaborative risk management. Adoption of continuous monitoring and external risk intelligence is also increasing, particularly as organizations look to automation and AI to maintain visibility at scale.
Still, the study concludes that technology alone will not close the gap. Without stronger executive engagement, tighter integration with enterprise risk frameworks and a clearer focus on reducing actual exposure rather than meeting minimum requirements, even the most sophisticated supply chain security programs are likely to fall short.
“The turning point is no longer whether organizations should invest in supply chain defense,” the report said. “It’s whether they can align people, processes and platforms well enough to make those investments count.”
————————————————————————-
WE ARE 10 YEARS OLD! TEN YEARS OF TECHSABADO, IMAGINE THAT.
WATCH TECHSABADO ON OUR YOUTUBE CHANNEL:
WATCH OUR OTHER YOUTUBE CHANNELS:
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
