Many enterprises are at growing risk due to immature supply chain cybersecurity practices and outdated strategies.
The majority (71%) of organizations experienced at least one material third-party cybersecurity incident in the past year, and 5% reported 10 or more such incidents, according to a recent survey of 546 IT directors and CISOs by cybersecurity ratings vendor SecurityScorecard.
Third-party involvement in breaches has doubled in recent years, surging from 15% to nearly 30%, according to supporting data from the 2025 Verizon Data Breach Investigations Report.
Sprawling ecosystem increases supply chain risks
Enterprises depend on vast networks of suppliers, partners, and digital service providers to deliver their products and services. This sprawling ecosystem greatly increases the attack surface cybercriminals, ransomware peddlers, and nation state-attackers can exploit.
“Attackers rarely go straight through the front door anymore,” says Vasileios Mourtzinos, threat intelligence analyst at cybersecurity consultancy firm Quorum Cyber. “They target the suppliers, SaaS platforms, and service providers we all depend on.”
Recent attacks involving Salesforce, Workday, and Colt Technology show how a “single weak link in the supply chain can cause a ripple effect of damage,” Mourtzinos added.
Greg Sullivan, founding partner at cybersecurity services firm CIOSO Global and former CIO at Carnival, says, “Organizations often enable online access to third parties without applying the same scrutiny they use with their own internal software and applications. This negligence creates blind spots that adversaries often exploit.”
Ariel Parnes, a former Colonel in Israel’s IDF 8200 Cyber Unit and co-founder of incident response vendor Mitiga, agrees that SaaS platforms represent a “third-party dependency and a direct supply chain risk.”
“Recent campaigns against Salesforce customers, and the breach at Farmers Insurance, show how these attacks cascade across industries,” Parnes says. “Now, threat groups like Murky Panda are skipping the front door and exploiting trusted cloud and SaaS relationships instead.”
Parnes adds: “By abusing OAuth, stolen credentials, or over-permissioned integrations, they ‘log in’ rather than break in, bypassing traditional defenses. By compromising these upstream entities, they were able to inherit the trust and permissions that downstream organizations had already granted.”
Software supply chain threats
The software supply chain is heavily reliant on code developed by third-party developers — something only likely to increase with the advent of AI.
Brian Fox, co-founder and CTO of open-source software security vendor Sonatype, says that “enormously complex” software supply chains pose a growing threat.
“Too many organizations have no idea what open-source packages, transitive dependencies, AI models, or community-maintained libraries they rely on — let alone who maintains them or whether they’re secure,” Fox tells CSO. “There’s a persistent and growing trend in software supply chain attacks targeting developers and CI/CD environments.”
Attackers are planting malicious code on public repositories such as npm and PyPI — often disguised as useful packages — as a means to compromise systems, steal data, or provide backdoor access during development or deployment.
“Attackers are refining data exfiltration-focused malware to harvest secrets and credentials, enabling downstream attacks like supply chain breaches or cloud account takeovers,” Fox warns.
Lack of visibility is compounding a growing problem, according to Nick Jones, head of research at cybersecurity consulting firm Reversec.
“Attackers compromise open-source projects supported by underpaid and under-resourced individuals, or startups where security isn’t a priority, in order to insert malicious code into packages used downstream by much higher value targets,” Jones says.
Lessons not taken from the SolarWinds breach
Software supply chains weaknesses were exploited in the high-profile 2020 SolarWinds hack, but five years later the same issue plagues the industry.
Once a software development pipeline itself is compromised, every customer downstream inherits that risk.
The best defense is to get a clear picture of your entire software supply chain — its assets, tools, pathways, and controls — and then work to ensure the proper guardrails are in place, according to Joe Nicastro, field CTO at application security firm Legit Security.
“We still see build pipelines misconfigured, third-party code and packages flowing in without checks, and SBOMs treated as one-off documents instead of living inventories,” Nicastro tells CSO.
Software bill of materials (SBOMs) allow an organization to understand what it’s really running under the hood, down to the individual libraries and packages.
“[SBOMs are] being pushed by numerous industry organizations, including CISA, and are a requirement under the EU Cybersecurity Resilience Act (CRA), but every software vendor has to produce their own SBOMs for their products, and so industrywide has been slow so far,” Reversec’s Jones says.
Lack of visibility
Few organizations have comprehensive visibility into their entire supply chain much less the ability to monitor the cyber hygiene of every supplier and their downstream partners.
SecurityScorecard found that only 21% of those surveyed were able to say at least half of their extended supply chain was covered by cybersecurity programs. Only a quarter (26%) of organizations incorporate incident response into their supply chain cybersecurity programs.
“Breaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action,” says Ryan Sherstobitoff, field chief threat intelligence officer at SecurityScorecard.
Countermeasures
“Vendor diligence must go beyond questionnaires,” says Scott Weinberg, founder and CEO of managed IT services provider Neovera. “Business associate agreements need more diligence. CISOs should require evidence of controls (MFA, logging, EDR), audit rights, and proof of breach notification timelines.”
Legit Security’s Nicastro adds: “To address this issue, organizations must impose clear cybersecurity maturity expectations on all partners, including mandating penetration tests, annual assessments, phishing simulations, tabletops, and resilience exercises.”
No Responses