61% suffered supply chain breaches in the past year, with almost a third suffering operational disruption and financial loss as a result
61% suffered supply chain breaches in the past year, with almost a third suffering operational disruption and financial loss as a result
LONDON, U.K. – 28 October 2025: Sixty per cent of surveyed U.K. and US cybersecurity leaders now admit that security risks originating from third parties and supply chain partners are “innumerable and unmanageable.” This is according to the latest The State of Information Security Report from IO (formerly ISMS.online), which reveals a growing disparity between cybersecurity confidence and reality.
A surprising 97 per cent of cybersecurity leaders said they were confident in their breach response, with 61 per cent describing themselves as “very confident.” Yet, that confidence contrasts drastically with 61 per cent of leaders who noted their organisation had suffered a third-party or supply chain attack in the past 12 months. This further exemplifies the widening “confidence gap”, as business leaders back their resilience while supply chain compromises continue to cause widespread damage.
Recent high-profile incidents, such as the Jaguar Land Rover attack, which disrupted production across multiple manufacturing plants, and the Collins Aerospace attack on its MUSE software which grounded several European airports to a halt, highlight how supply chain compromises can quickly cascade far beyond their initial target.
Among those who suffered a third-party or supply chain attack, 38 per cent resulted in customer, employee or partner data breaches, 35 per cent suffered financial losses or unplanned costs (e.g. remediation, fines, legal fees), and 33 per cent faced temporary system outage or operational disruption. More than a third (36 per cent) of organisations that suffered a customer data breach said they had experienced customer or partner churn or loss of trust as a result, while 28 per cent faced heightened scrutiny from partners or suppliers.
“Cybersecurity leaders clearly recognise the importance of supply chain security, but many still underestimate how complex and interdependent modern supply networks have become,” said Chris Newton-Smith, CEO of IO. “This confidence needs to be matched by continuous action to avoid the domino effect across networks, impacting customer trust, finances, and operations.”
Despite the growing risk, only 23 per cent of all respondents ranked supply chain compromise among their top emerging threats, placing it below AI misuse, misinformation, and phishing. This suggests that while investment is rising, supply chain risk is still underestimated relative to its potential impact.
While this year’s report focuses on the broader supply chain, it still underscores the disproportionate vulnerability of small and mid-sized businesses. Of those cybersecurity leaders within SMEs with up to 49 employees, 28 per cent reported supply chain disruption or cascading partner issues following a customer data breach, compared with 21 per cent of large enterprises. This suggests smaller firms are less able to contain the fallout of third-party incidents, often due to limited resources, smaller security teams, and fewer formal risk processes.
“Attackers increasingly see smaller suppliers as soft entry points into larger targets,” added Newton-Smith. “They may not be the ultimate prize, but they’re often the route into the larger organisations. Securing the entire supply chain is essential for national and commercial resilience.”
However, the research does demonstrate that investment in third-party and supply chain security is growing, as 64 per cent of organisations plan to increase spending in this area over the next year. This number drops to 45 per cent among smaller SMEs, who say budgets and investment will remain the same. Smaller firms are generally less likely to have a clear and well-communicated information security strategy, to invest in awareness training, or to strengthen crisis management and incident response capabilities, all key components of an effective resilience plan.
Encouragingly, 80 per cent of organisations have already strengthened third-party and vendor risk management practices in the last 12 months or longer than 12 months, with a further 17 per cent planning to do so in the next 12 months. Meanwhile, 21 per cent of leaders list strengthening vendor and third-party risk management among their top cybersecurity priorities for the next 12 months, reflecting a clear shift toward long-term resilience planning.
“Supply chain resilience is now one of the top security priorities for the year ahead, but this needs to be embedded within the organisation. To close the confidence gap, leaders must focus on people and process, putting strategies in place to ensure compliance and build a culture of security and resilience across the chain to avoid any weak links”, Newton-Smith added.
-Ends-
About IO
At IO, we believe compliance should fuel progress, not hold it back.
That's why we've built a modern compliance platform designed to help organisations simplify, strengthen, and scale their information security, privacy, risk and AI governance. Supporting over 100 global standards, including ISO 27001, ISO 27701, ISO 42001, SOC 2, and GDPR, IO gives teams everything they need to stay secure, aligned, and audit-ready in one place.
Our approach is built around people, process, and platform, because lasting compliance isn't achieved through automation alone. With structured workflows, guided support, and smart integrations that fit how your business already works, IO makes it easier to embed compliance into everyday operations.
From first-time certifications to mature multi-framework global programmes, IO helps reduce duplicated work, surface the right insights, and build confidence across your organisation. It's compliance that fits and scales with you.
Trusted by thousands of businesses worldwide, IO is here to turn compliance from a box-ticking chore into a strategic advantage.
Research methodology
The research was conducted by Censuswide, among a sample of 3001 Cybersecurity and Information security Managers+ (18+) in the UK and USA. The data was collected between 23.07.2025 - 07.08.2025. A separate study was conducted among a sample of 1020 respondents who work in information security across the UK and USA between 22.03.2024 - 02.04.2024. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council.
A data breach is an incident where unauthorized individuals gain access to sensitive, protected, or confidential data, potentially leading to identity theft or financial loss.
Risk management is the process of identifying, assessing, and controlling threats to an organization's capital and earnings, including financial, operational, and reputational risks.
Supply chain security involves protecting the integrity and safety of the supply chain from threats such as cyberattacks, fraud, and physical damage.
Operational disruption refers to interruptions in business operations that can lead to financial losses, reduced productivity, and damage to reputation.
Financial loss occurs when an organization experiences a decrease in its financial assets, often due to events like fraud, data breaches, or operational failures.
Explore more articles in the Technology category
