Join

WallyBot AI MTI Connect Member Compass

Contact

Overconfidence in Cybersecurity Strategy is Risky

Date postedNovember 6, 2025
Posted By: Tom Morrison Community,

Nearly half (45%) of companies experienced a cybersecurity breach in the last year, according to a survey from NCC Group.

 

Businesses are overestimating their ability to respond to supply chain cyber-attacks and their visibility over suppliers, according to new research, The State of Supply Chain Security from NCC Group.  

 

The report reveals that the vast majority (94%) of businesses are confident in their ability to respond to a supply chain attack, despite that nearly half (45%) experienced a cybersecurity breach in the last year.

 

Half (49%) of the organizations that suffered a breach said the attack suspended operations.

 

“Global supply chains are the engine of modern business, so it is critical that their security is a priority for leaders, especially when global ransomware levels are at a record high this year," said Mike Maddison, CEO of NCC Group, in a statement.

 

"The outbreak of high profile supply chain attacks we have seen this year must be taken as a wake-up call. These attacks have real-world consequences, delaying medical procedures, grounding flights, leaving shelves empty and putting the economy and jobs at risk. In the face of such a threat, it is shocking that 92% of respondents trust their suppliers to follow cybersecurity best practices. Time and time again, threat actors are profiteering from this overconfidence, using straightforward techniques to access virtually unguarded supply chain networks.”

 

Misplaced Trust?

Surveying 1,010 cybersecurity decision makers globally about their views on the current state of supply chain security, the report revealed that 92% of organizations trust their suppliers follow cybersecurity best practices.

 

However, high trust levels could be leaving businesses and their supply chains vulnerable to threats, with the research showing a third (34%) are not regularly monitoring suppliers or conducting risk assessments, and only 34% claiming to have full and detailed insight into their supply chain’s cybersecurity.

 

Despite businesses understanding that security threats are growing, with 68% expecting attacks to become more severe in the next 12 months, the data suggests a lack of awareness about the impact that a supplier attack could have on day-to-day business operations.

 

Surprisingly, a fifth (21%) of organizations surveyed believe they wouldn’t be affected if a key supplier was unable to operate for five days. 

 

“Although it is encouraging to see cybersecurity climbing up the boardroom agenda for organizations, overconfidence in supplier visibility and the ability to react is leading to complacency that we can no longer ignore," said Maddison.

 

"Security is only as strong as the weakest link in a supply chain. Organizations are severely overestimating their operational resilience, with 21% of respondents believing they wouldn’t be affected if a key supplier were unable to operate for five days - they are in for a rude awakening.

 

"Supply chain attacks threaten not only individual organizations, they are an economic risk at an international level. This report is a clarion call for organizations and governments to wake up to the realities of supply chain vulnerability. We must do more to increase economic resilience by proactively tackling these threats.”

 

Among other findings:

  • Artificial intelligence is the #1 factor organizations expect to increase supply chain security risk over the next 12 months: 59% agree.
  • 45% of suppliers say the cost of cybersecurity measures is the greatest pain point with regard to cybersecurity and compliance.
  • Only 36% of organizations say they have visibility over how their supply chain stores and protects business-critical data relating to their organization.
  • 59% are concerned about the level of visibility they have over their supply chain.

 

The findings come as more stringent cybersecurity regulation has been introduced globally to boost resilience strategies. This includes the UK’s Cyber Security Resilience Bill, as well as the EU’s NIS2 Directive and the Digital Operational Resilience Act (DORA).  

 

Increased regulation is welcomed by businesses, with 90% confident that cyber security standards and policies reduce the risk of supply chain attacks. Yet, the introduction of more legal frameworks could make managing supply chains more complex for global businesses.  

 

“Governments don’t share the same confidence in supply chain security as shown by business, prompting tighter regulations being introduced to combat these growing threats. Legislation is still catching up with the pace of innovation and the global regulatory landscape is still fragmented," said Katharina Sommer, group head of Government Affairs at NCC Group, in a statement.

 

"As we move to an even more connected world where supply chains overlap borders and governments, organizations must carefully navigate policies to minimize supply chain vulnerabilities and increase resilience.” 

 

Written by:  Adrienne SelkoSenior Editor, for MH&L.

 

 

 

Categories

Most Recent Posts