Businesses overestimate supply chain cyber defence readiness, study finds

A new report indicates that businesses are overestimating their preparedness and visibility when it comes to supply chain cyber security threats.

The State of Supply Chain Security report, compiled by NCC Group, surveyed 1,010 cyber security decision makers across eight markets including the UK, Australia, Germany, the Netherlands, Singapore, Spain, the Philippines, and the US. The research has underscored a disconnect between perceived and actual risk among organisations and raised questions about complacency in supply chain oversight amid an uptick in high-profile cyber incidents.

Confidence and oversight

The report found that 94 per cent of businesses are confident in their ability to respond to a supply chain attack. This result comes despite recent cyber incidents that have affected significant sectors including retail, automotive manufacturing, and critical infrastructure.

A considerable 92 per cent of organisations stated that they trust their suppliers to adhere to cyber security best practices. At the same time, one-third (34 per cent) admitted they do not regularly monitor suppliers or carry out comprehensive risk assessments. This reliance on trust rather than verification may be leaving companies exposed to potentially serious threats within the supply chain.

Perceptions of impact

The study highlighted that while 68 per cent of respondents expect supply chain attacks to become more severe in the coming year, there remains a notable lack of awareness regarding the consequences of a supplier disruption. According to the survey, 21 per cent of organisations believe that their business would remain unaffected if a key supplier were unable to operate for five days.

Mike Maddison, CEO of NCC Group said: "Global supply chains are the engine of modern business, so it is critical that their security is a priority for leaders, especially when global ransomware levels are at a record high this year. The outbreak of high profile supply chain attacks we have seen this year must be taken as a wake up call. These attacks have real world consequences, delaying medical procedures, grounding flights, leaving shelves empty and putting the economy and jobs at risk. In the face of such a threat, it is shocking that 92% of respondents trust their suppliers to follow cyber security best practices. Time and time again, threat actors are profiteering from this overconfidence, using straightforward techniques to access virtually unguarded supply chain networks."

UK businesses: confidence and concern

Among UK respondents, 41 per cent reported being confident in how they monitor and assess supplier cyber security practices-the second highest level of confidence after the US (50 per cent). However, the research also found that 67 per cent of UK businesses expressed concern over their level of supplier oversight. This figure surpassed the global average, indicating that despite high levels of confidence, a majority recognise visibility issues in their supply chain.

The report's findings extended across eleven industries and included perspectives from both public and private sectors, as well as all levels of seniority within organisations.

Complacency and risk

Mike Maddison continued: "Although it is encouraging to see cyber security climbing up the boardroom agenda for organisations, overconfidence in supplier visibility, and the ability to react, is leading to complacency that we can no longer ignore. Security is only as strong as the weakest link in a supply chain. Organisations are severely overestimating their operational resilience, with 21% of respondents believing they wouldn't be affected if a key supplier was unable to operate for five days - they are in for a rude awakening. Supply chain attacks threaten not only individual organisations, they are an economic risk at an international level. This report is a clarion call for organisations and governments to wake up to the realities of supply chain vulnerability, we must do more to increase economic resilience by proactively tackling these threats."

Regulation and complexity

Alongside these findings, the report noted recent regulatory efforts to address cyber risk, including the UK's Cyber Security Resilience Bill, the European Union's NIS2 Directive, and the Digital Operational Resilience Act (DORA).

The report indicated that 90 per cent of businesses believe that stronger cyber security standards and policies reduce the likelihood of a supply chain attack. However, the introduction of additional legal requirements may result in increased complexity for global organisations managing diverse supply chains.

Katharina Sommer, Group Head of Government Affairs at NCC Group added: "Governments don't share the same confidence in supply chain security as shown by business. Prompting tighter regulations being introduced to combat these growing threats. Legislation is still catching up with the pace of innovation and the global regulatory landscape is still fragmented. As we move to an even more connected world where supply chains overlap borders and governments, organisations must carefully navigate policies to minimise supply chain vulnerabilities and increase resilience."

As businesses continue to develop supply chain risk mitigation strategies, the debate between confidence and complacency highlighted in the report remains a central consideration for operational resilience and security planning.