WEF: Supply Chains at Heart of Cybersecurity Threats
Cybersecurity is becoming more complex than ever as geopolitical tensions rise and technologies rapidly evolve.
Cyber threats are becoming more sophisticated, not to mention growing regulatory demands, fragile supply chain networks and a widening cyber skills gap - its clear organisations face unprecedented challenges in staying secure.
Now, according to the World Economic Forumâs latest report with Accenture, 'Global Cybersecurity Outlook 2025,' 54% of large organisations identify supply chain challenges as the biggest barrier to achieving cyber resilience.
The increasing complexity of supply chains, along with limited visibility into suppliers' security measures, has made supply chains the leading cybersecurity risk. The risks extend beyond direct partners to third-party software vulnerabilities and the potential for cyberattacks to spread throughout entire ecosystems.
The global IT outage in 2024, the largest in history, exposed the vulnerabilities tied to reliance on a small number of critical providers.
Airlines, banks, healthcare systems, retailers and ATMs worldwide were affected, leading to an estimated US$5bn in losses. The incident highlighted the systemic risks of supply chain dependencies.
Cyber threats continue to escalate, with 72% of respondents to the Global Cybersecurity Outlook survey reporting an increase in cyber risks. The rise in ransomware, AI-enhanced attacks like phishing and deepfakes and the growth of supply chain breaches signal a shift in the cybersecurity landscape.
Amin Nasser, President and CEO of Aramco, puts it plainly: "As digitalisation advances, cyber threats are becoming increasingly complex, particularly as interdependencies across third-party supply chains and broader ecosystems grow.
"Cyber attackers need only succeed once to cause significant harm, while our collective defences... must be robust and cohesive at all times."
Third-party risks and the challenge of oversight
One of the most significant cybersecurity hurdles organisations face is the lack of visibility across their supply chains.
A focus group at the 2024 Annual Meeting on Cybersecurity revealed that 41% of participants consider improving third-party dependency visibility as the top priority for enhancing supply chain cyber resilience.
However, enforcing security standards on third-party suppliers is increasingly difficult. The survey supports this, with 48% of Chief Information Security Officers (CISOs) citing third-party compliance as the main challenge in implementing cyber regulations effectively.
Differing baseline security requirements across industries complicate matters further, making it tough to enforce consistent standards throughout the supply chain.
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, explains: "Risk reduction associated with software supply chains has a level of complexity based on the use of open-source software (OSS) or AI tooling.
"Treating OSS and AI sources of code the same way... ignores the reality that with OSS, there can be many release origins."
His point underscores the need for robust risk assessment processes that cover all software origins, even those without direct business ties.
Moreover, organisations increasingly rely on a handful of critical providers, turning them into potential single points of failure.
A breach at one of these providers could ripple across industries, disrupting operations on a global scale.
This risk was evident when a faulty update from CrowdStrikeâs cloud-based security software triggered a worldwide IT outage. While cloud providers enhance security capabilities, they also introduce concentrated risks that organisations must manage proactively.
George Kurtz, CEO of CrowdStrike, stresses the importance of collaboration: "By enforcing standards, leveraging threat intelligence and equipping organisations of all sizes with more effective cybersecurity solutions, we can close gaps and fortify the ecosystem."
Regulation, resilience and the path forward
Governments worldwide are responding to these risks with stricter regulations.
The EUâs NIS2 Directive raises cybersecurity standards, demanding improved incident reporting, stronger supply chain oversight and greater accountability at board level.
In the US, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates rapid disclosure of cyber incidents. Asia-Pacific countries, including Japan and Singapore, are also tightening cyber laws, reinforcing compliance for critical infrastructure operators.
Despite these efforts, regulatory complexity presents challenges. More than 69% of organisations in the Global Cybersecurity Outlook survey report difficulties navigating overlapping regulations, verifying third-party compliance and managing diverse enforcement timelines.
This "regulatory jigsaw puzzle" risks overwhelming businesses, potentially reducing the effectiveness of cybersecurity measures.
Despina Spanou, Cybersecurity Coordinator for the European Commission, highlights the need for international collaboration: "Solidarity among like-minded partners in cybersecurity is needed more than ever."
To thrive in this landscape, organisations must go beyond compliance. They need holistic risk management strategies, aligning cybersecurity with business objectives and fostering cross-border cooperation.
Building resilience requires proactive investment in security, clear accountability for software development practices and the flexibility to adapt to emerging threats.
As Meredith Whittaker, President of Signal, warns: "The LLMs currently in use are constitutively insecure... Integrating these models into critical infrastructure before such attack vectors are remedied is dangerous and needs to be re-evaluated."
The message is clear: cybersecurity resilience isnât just about defending against direct attacks.
Itâs about understanding the risks hidden within supply chains, adapting to an evolving regulatory environment and fostering a culture of collaboration to secure the digital ecosystem.
Explore the latest edition of Supply Chain Digital and be part of the conversation at our global conference series, Procurement & Supply Chain LIVE.
Discover all our upcoming events and secure your tickets today.
Supply Chain Digital is a BizClik brand.
