A survey of UK and US cyber people by the compliance platform IO (formerly ISMS.online), suggests a growing disparity between cybersecurity confidence and reality, according to the firm.
Near all, 97 per cent of cybersecurity leaders said they were confident in their breach response, while most, 61 per cent described themselves as “very confident.” Yet, most, 61 per cent of leaders noted their organisation had suffered a third-party or supply chain attack in the past 12 months. The company points to the recent high-profile incidents, such as the Jaguar Land Rover attack, which disrupted production across factories, and the Collins Aerospace attack on its MUSE software which brought several European airports to a halt.
Breaches
Among those surveyed who suffered a third-party or supply chain attack, 38 per cent resulted in customer, employee or partner data breaches, 35 per cent suffered financial losses or unplanned costs (such as remediation, fines, legal fees), and 33 per cent faced temporary system outage or operational disruption. More than a third (36 per cent) of those that suffered a customer data breach said they had experienced customer or partner churn or loss of trust as a result, while 28 per cent faced heightened scrutiny from partners or suppliers.
Supply chain
Chris Newton-Smith, CEO of IO said: “Cybersecurity leaders clearly recognise the importance of supply chain security, but many still underestimate how complex and interdependent modern supply networks have become. This confidence needs to be matched by continuous action to avoid the domino effect across networks, impacting customer trust, finances, and operations.”
Barely a quarter, 23 per cent of all respondents ranked supply chain compromise among their top emerging threats, placing it below AI misuse, misinformation, and phishing. While the report focuses on the broader supply chain, it still underscores the disproportionate vulnerability of small and mid-sized businesses, according to the firm. Of those cyber people surveyed within SMEs with up to 49 employees, 28 per cent reported supply chain disruption or cascading partner issues following a customer data breach, compared with 21 per cent of large enterprises.
“Attackers increasingly see smaller suppliers as soft entry points into larger targets,” added Newton-Smith. “They may not be the ultimate prize, but they’re often the route into the larger organisations. Securing the entire supply chain is essential for national and commercial resilience.”
Budgets
Investment in third-party and supply chain security is growing, as 64 per cent of organisations plan to increase spending in this area over the next year. This drops to 45 per cent among smaller SMEs, who say budgets and investment will remain the same. Most, 80 per cent of organisations have already strengthened third-party and vendor risk management practices in the last 12 months or longer than 12 months, with a further 17 per cent planning to do so in the next 12 months. Meanwhile, 21 per cent of leaders list strengthening vendor and third-party risk management among their top cybersecurity priorities for the next 12 months, reflecting a clear shift toward long-term resilience planning.
Newton-Smith added: “Supply chain resilience is now one of the top security priorities for the year ahead, but this needs to be embedded within the organisation. To close the confidence gap, leaders must focus on people and process, putting strategies in place to ensure compliance and build a culture of security and resilience across the chain to avoid any weak links.”
