Take Proactive Steps to Ensure Supply Chain Cybersecurity

Summary

The old proverb, “a chain is only as strong as its weakest link,” is especially true in the case of supply chains. Recent research from both academia and leading strategy consulting firms have discovered that supply chain cybersecurity, once considered a tactical, third-party risk issue, has become a major threat to worldwide economic stability.

According to the World Economic Forum’s Global Cybersecurity Outlook 2025, supply chain challenges now stand as the primary obstacle to cyber resilience for 54% of large organizations, with Boston Consulting Group reporting that 98% of companies experienced damaging cybersecurity breaches within their supply chains.

The evidence from NIST case studies—supported by the analysis of leading consulting firms—confirms that organizations need to transform their current vendor management approach to one of proactive, ecosystem-wide cyber risk orchestration. Rather than viewing cybersecurity as a compliance requirement, organizations have an opportunity to gain competitive advantage through integrated governance frameworks, comprehensive regulatory compliance strategies and strategic partnerships.
 

Cyber supply chain complexity

The World Economic Forum’s 2025 Global Cybersecurity Outlook identifies six compounding factors driving unprecedented complexity in the cyber supply chain landscape:

• Escalating geopolitical tensions
• Sophisticated cybercrime evolution
• Artificial intelligence (AI) and emerging technology risks
• Regulatory requirement proliferation
• Supply chain interdependencies
• Widening cyber skills gap.

The research shows that 72% of respondents indicate that their organizations face growing cyber risks with supply chain vulnerabilities becoming the main systemic risk factor.

In 2021, the Harvard Business Review published research showing a 400% rise in supply chain attacks from July 2019 to March 2020—a trend that persisted throughout 2024 (Sridhar et al), undoubtedly driven by increasing supply chain complexity, which, in turn, limits the visibility of suppliers’ security levels.
Additionally, the impact of AI has been a double-edged sword. While organizations predict that AI will substantially affect cybersecurity in 2025, only 37% of organizations are equipped with pre-deployment security assessment processes for their AI tools. This paradox highlights the gap between recognizing the risks posed by AI-driven threats and implementing the necessary safeguards. Indeed, 47%  organizations now report that advanced attacks using generative AI technology are their primary security threat.
 

Strategic business necessity

The 2023-2025 CAMS research conducted by MIT Sloan shows that supply chain cybersecurity has transitioned from a technical issue to a strategic business necessity that demands board-level involvement.

With supply chain attacks becoming more complex and forecast to triple by 2025, organizations need to implement proactive, collaborative strategies that handle both their technological and organizational challenges.

Research demonstrates that existing supply chain security methods are no longer effective against modern threats. A successful approach must integrate AI-powered monitoring technology with collaborative ecosystem methods that take into consideration the limitations and capabilities based on organizational size and type.

Also, the World Economic Forum shows that geopolitical tensions have influenced the cybersecurity strategy of around 60% of organizations. Cyber espionage, the loss of sensitive information and the theft of intellectual property together rank as the number one concern for one in three CEOs, while disruption of operations and business processes is a concern for 45% of cyber leaders.
 

Taking action

Although establishing cyber-resilience within the supply chain remains a major challenge for the Board of Directors, and ultimately the CISO, proactive action can be taken from governance and technology standpoints.
NIST identifies three essential organizational integration models for advanced cyber supply chain risk management (Boyens, 2020):

1. Centralized team model. A dedicated team performs risk management across all supply categories, and functions as an internal audit team that collaborates with information security, information technology (IT), legal and compliance teams. This unified practice simplifies supplier management and enables quick response to supply chain events without executive escalation.
2. Blended approach model. The organization has a centralized team that provides guidance and oversight, while business units are responsible for supplier relationships. This approach distributes responsibilities between centralized functions and business units, while maintaining consistent security and risk approaches through risk management councils.
3. Standards-oriented integration. NIST research shows that mature organizations have defined roles that connect functions and link to corporate enterprise risk management (ERM). Academic research shows that this approach enables organizations to deliver products and services efficiently and effectively while properly managing C-SCRM risks.

From a technology perspective, assuming that organizations are maintaining a solid asset inventory for anything operating on their supply chain, having an up-to-date cybersecurity risk posture is fundamental. Instead of relying on periodic reports and certification audits, organizations now invest in tools that allow for continuous data collection, anomaly detection and automated alerting along the supply chain.

Furthermore, a necessary step toward continuous detection is the adoption of zero-trust architecture; access is tightly restricted to only those resources necessary for each user or third-party vendor, and only for as long as is strictly needed. The continuous validation process, together with segmentation methods, prevent suppliers and automated integrations from exceeding their permissions and becoming lateral risks in case of a compromise—even when they have been active for a long time.
 

Final thoughts

There is the need to secure data while in motion, at rest and in use within the supply chain. Factors like system obsolescence and complexity represent an innovation challenge when looking at post-quantum security. Since the widely used public-key cryptographic algorithms (e.g., RSA, ECC) that protect today’s supply chain data and communications may, in the future, be broken by quantum computers, agencies such as CISA, NSA and NIST urge organizations to start developing quantum-readiness roadmaps immediately.

There is also the “harvest now, decrypt later” (HNDL) risk whereby attackers acquire encrypted data today with the intention of decrypting it once quantum computers develop sufficient power. Therefore, supply chains need to implement post-quantum security through both early detection of quantum vulnerabilities and vendor collaboration and a step-by-step transition to quantum-resistant cryptographic algorithms. Consequently, the requirement to protect sensitive supply chain operations and their data is immediate. Organizations that take proactive steps to plan with their supply chain partners on PQC roadmaps will be better positioned to maintain trust, compliance and resilience as quantum computing becomes practical.

Organizations need to start their operations without depending on complete regulatory guidelines and instead focus on their real risk posture and how it is influenced by the continuously evolving threat landscape.