Many organizations continue to underestimate how entrenched cyber vulnerabilities remain within their supply chain organizations. As noted recently by SupplyChain247, in an “increasingly digitized, and deeply interconnected world,” cybersecurity concerns have already extended beyond traditional IT risk boundaries and limits. “From third-party vendor access and warehouse automation” to software dependencies, hidden gaps in cybersecurity can increasingly translate into operational disruption, financial loss, and reputational damage.
Modern supply chains have evolved into complex, multi-tiered ecosystems spanning suppliers, subcontractors, logistics providers, cloud platforms, and software vendors. While this has made systems more efficient, it also dramatically expands the attack surface. Many organizations struggle or have struggled historically to map their extended supply networks beyond direct vendors. According to SupplyChain247, industry data reveals that “79% of organizations reported that less than half of their external vendors were covered by formal cybersecurity programs,” leaving large portions of the ecosystem effectively unmonitored.
According to Moody’s, “cybersecurity risks in the supply chain have historically stemmed from three main areas or sources: supplier systems, third-party infrastructure, and procured products and services” from external vendors. In complex supply chain systems with multiple tiers, relying on these subcontractors and outside vendors created blind spots. Weak or outdated security protocols as well as lack of meaningful oversight and transparency served to worsen these vulnerabilities. In addition, as the article from Moody’s noted, an increased global reliance on external providers amplified these risks, “as organizations struggle to maintain robust and consistent security practices across a range of geographies and entities, regulatory protocols and a range of cyber maturity.”
As supply chains became more digitized, routine vulnerability scanning was often applied unevenly across internal systems and external partners. Known weaknesses persisted unnoticed and undetected across interconnected environments, reducing the ability to detect and respond quickly when incidents occurred. According to SupplyChain247, many vulnerabilities lurk far beneath the surface of supply chain operations; these hidden gaps can escalate quickly into “costly breaches and operational disruptions.”
Such gaps in cybersecurity oversight have historic and global implications. According to its Global Cybersecurity Outlook 2025, the World Economic Forum cited supply chain interdependences as a main factor in the increasing complexity of cyberspace. As a top ecosystem cyber risk, this report names “supply chain vulnerabilities as the primary barrier to cyber resilience for over half (54%) of large organizations.” Third-party compliance is one of the biggest issues, with the report highlighting that the main challenge to implementing consistent cyber regulations is solid third-party compliance. The report went on to say that “the rapid adoption and utilization of AI only intensify these issues and adds to their complexity, with only 37% of organizations able to properly assess AI tool security before deployment.” The lack of safeguards, especially among smaller organizations, widens the threat landscapes to potentially include the entire ecosystem.
Some historically significant case studies are discussed in a 2025 article by Jim Frazer in LogisticsViewpoints. These include some well-known attacks including the Colonial Pipeline (2021) ransomware attack which led to “gas shortages across the east coast and a national supply chain crisis”, the Solar Winds (2020) crisis in which hackers compromised a management platform by inserting “malicious code” into a trusted supplier’s software update, “impacting thousands of organizations;” and Maersk (2017), when a state-sponsored malware attack brought down the world’s largest shipping line, impacting “76 port terminals at an estimated price tag of $300 million.” Each of these examples underscores a sobering truth: when supply chains are attacked digitally, the ripple effects span industries, geographies, and governments.
While third-party relationships are a crucial part of supply chain operations, they do concentrate the cybersecurity risk. Even if core systems are adequately protected, a vendor’s inconsistent security practices can introduce a vulnerability to the system. To note how widespread this is – in the last two years, according to SupplyChain247,“28% of organizations have experienced a cybersecurity incident that originated within a third-party vendor, and one in three (roughly 29%) of data breaches can be traced back to third-party weaknesses.”
At CYRIN, a popular Data Leak Investigation exercise, essentially a forensic look at a data exfiltration investigation, allows students to experience this internal investigation on a realistic corporate network. In this exercise, warehouse shipping information was leaked to criminals and students are tasked with finding the source of the leak and how it is infiltrating key systems. This scenario accurately mimics a real-world supply chain compromise.
According to the law firm of Foley and Lardner in their October, 2025 report, the manufacturing industry was the most targeted sector for cyberattacks for the fourth year running, Their study indicated that “over 26% of cybersecurity incidents worldwide target the manufacturing industry.” Supply chain attacks have swelled in recent years; “between 2021 and 2023 the number of supply chain-related attacks surged to a whopping 431%.” In addition, they are “the second most costly,” with the average cost of a breach in the “US in 2025 costing $10.22 million.” These attacks also take a great deal of time to resolve — in 2024, it took a combined “267 days for the compromises to be detected and contained.” The larger problem is that every link in the ecosystem from software vendors to manufacturers and distributors is a potential target.
In 2025 CyberNews.com showcased the six major supply chain issues to watch going forward. Highlights are below.
Despite these somewhat dire warnings, Claire Trimble, writing for the Forbes Communications Council, reports that organizations are working to modernize and implement robust supply chain security measures. In addition, vendor risk programs are scaling without adding staff and breaches are being prophylactically solved. Essential to this progress has been moving to continuous monitoring and replacing trust with evidence. Smart companies are looking to independently validate security controls. According to the Forbes Council report, “Companies using these approaches are seeing dramatic improvements in vendor response times. They're identifying high-risk vendors before breaches happen. They're treating vendors as partners, sharing threat intelligence rather than running adversarial audits.”
At CYRIN we understand that continuing innovation is needed as new technologies and techniques are developed and enter the marketplace. That’s why we teach the aforementioned forensics exercise called Conduct a Data Leak Investigation. This exercise addresses some of the core issues including applying the lessons of this investigation on a realistic network.
This is just one example of how we continue to work with our industry partners to address major challenges and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face.
Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.
For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce. In an increasingly digitized world, training and experiential training are critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits.
As this newsletter indicates, the best time to plan and prepare is before the attack. Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Our new programs, including utilizing Digital Twins, can create real-world conditions for you to practice before you must act. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!