# EY Survey Reveals Rising Cyber Threats from Third-Party Supply Chain Risks

A wave of high-profile cyberattacks exploiting weaknesses in supply chain partners is prompting heightened concerns among corporate leaders over third-party cybersecurity risks, according to a new survey from Ernst & Young (EY). The survey, which polled 500 senior cybersecurity executives across various industries, has revealed a growing unease among organizations, with more than half reporting material incidents stemming from third-party relationships in the past two years.

Despite these experiences, only about 29% of respondents said they were 'very confident' in their ability to detect and mitigate risks within their digital supply chain. This lack of confidence is concerning, as hackers increasingly target the complex network of vendors, contractors, and suppliers that form the operational backbone of modern enterprises. Attackers often look for the weakest link, which is frequently a less-secure third party with access to sensitive data or infrastructure.

"The threat landscape has changed dramatically," said Matt Chambers, EY Americas Cybersecurity Leader. "Organizations have spent years hardening their internal defenses, but adversaries are relentless in probing the edges — and that often means partners." Chambers emphasized that organizations should adopt a 'trust, but verify' approach, ensuring that they not only require vendors to comply with cybersecurity standards but also regularly verify these standards.

The survey highlights the growing significance of supply chain vulnerabilities as a top cyber risk concern for organizations. Respondents labeled third-party threats as their most significant cyber risk, ahead of ransomware, insider threats, and direct attacks on enterprise systems. This underscores the importance of proactive measures to address potential risks within the supply chain.

However, the survey also reveals uneven progress in managing supply chain-related risk. While around 68% of companies require their vendors to comply with cybersecurity standards or complete assessments, less than half said they verify these standards are being met on an ongoing basis. This suggests that many organizations need to bolster their processes for monitoring and addressing potential vulnerabilities.

The consequences of failing to address third-party risks can be severe. The 2020 SolarWinds hack, for example, enabled cybercriminals to compromise a host of U.S. government agencies and Fortune 500 firms by targeting a widely-used network management product. More recently, ransomware criminals have leveraged software vendors and managed service providers to gain entry to multiple organizations simultaneously.

As regulatory pressure mounts, companies are ramping up investment in automated monitoring tools, contractual requirements, and collaboration with suppliers on joint risk management. However, many struggle to keep pace with the proliferation of vendors, which can make it difficult to identify potential threats.

Consolidating vendor portfolios and prioritizing risk assessments based on criticality are seen as essential strategies for mitigating supply chain risks. "You can't manage what you can't see," Chambers noted. "Visibility and real-time intelligence across your third parties are critical to staying ahead of the threat."

For most organizations, eliminating third-party risk entirely is impossible. However, diligent oversight and continuous defense can help prevent a weak link from becoming a costly breach. As Chambers aptly put it, "We're all in this together. When one partner gets hit, the ripple effects can be immense."