top of page

Overconfidence Creates 'Perfect Storm' of Supply Chain Security Risk, Warns NCC Group

  • Writer: Roy Urrico
    Roy Urrico
  • 2 minutes ago
  • 4 min read

By Roy Urrico

ree

A new report, The State of Supply Chain Security 2025, from cybersecurity consulting firm Manchester, England-based NCC Group finds organizations covering 11 industries, including financial services, “are navigating a perfect storm: evolving global markets, increasingly complex supply chains, and a cyber threat landscape that’s growing in both scale and sophistication.” In addition, businesses are overestimating their ability to protect themselves from and respond to supply chain cyberattacks.

CEO Mike Maddison of NCC Group.
CEO Mike Maddison of NCC Group.

“Global supply chains are the engine of modern business, so it is critical that their security is a priority for leaders, especially when global ransomware levels are at a record high this year. The outbreak of high-profile supply chain attacks we have seen this year must be taken as a wakeup call,” said CEO Mike Maddison of NCC Group. “These attacks have real world consequences, delaying medical procedures, grounding flights, leaving shelves empty and putting the economy and jobs at risk. In the face of such a threat, it is shocking that 92% of respondents trust their suppliers to follow cybersecurity best practices. Time and time again, threat actors are profiteering from this overconfidence, using straightforward techniques to access virtually unguarded supply chain networks.”


The report was based on responses from 1,010 professionals responsible for cybersecurity in public and private sector organizations with 500-10,000 employees across eight markets (U.S., U.K., Australia, Germany, the Netherlands, Singapore, Spain and the Philippines); and 11 industries (financial services, healthcare, energy, materials, industrials, consumer discretionary, consumer staples, information technology, communication services, utilities, and real estate).


Supply Chain Threat


A supply chain attack is a cybersecurity threat that targets organizations by compromising system or network vulnerabilities using third-party tools or services — collectively referred to as a “supply chain.”


The supply chain security report revealed that 92% per cent of organizations trust that their suppliers follow cybersecurity best practices. The report also revealed that the vast majority (94%) of businesses are confident in their ability to respond to a supply chain attack, despite the series of supply chain-related attacks this year that impacted financial institutions, retail giants, major grocery suppliers and car manufacturers.


A sophisticated supply chain cyberattack on Swiss service provider Chain IQ in June 2025 resulted in data leaks at several financial institutions, including financial services organization UBS and investment firm, Pictet.


The threat is so real for financial institutions that Todd M. Harper, former chairman and current board member of the NCUA, noted in a report to Congress in June 2025: “Credit unions’ dependency on third-party vendors and the integral nature of the supply chain introduces considerable risk as cyberactors continue to exploit the vulnerabilities of third-party providers.”


Maddison explained: “Although it is encouraging to see cybersecurity climbing up the boardroom agenda for organizations, overconfidence in supplier visibility, and the ability to react, is leading to complacency that we can no longer ignore. Security is only as strong as the weakest link in a supply chain.” He added organizations severely overestimate their operational resilience, with 21% of respondents believing they would experience no effect if a key supplier was unable to operate for five days. “They are in for a rude awakening. Supply chain attacks threaten not only individual organizations, they are an economic risk at an international level. This report is a clarion call for organizations and governments to wake up to the realities of supply chain vulnerability. We must do more to increase economic resilience by proactively tackling these threats.”


Critical Areas

 Katharina Sommer, group head of government affairs at NCC Group.
 Katharina Sommer, group head of government affairs at NCC Group.

The NCC Group research identified three critical risk areas that demand urgent attention:


  1. The overconfidence trap. Ninety-four percent of respondents are confident in their ability to respond to a supply chain attack. Ninety-two percent trust their suppliers to follow best practices. Yet only 66% regularly assess supplier risk.

  2. The responsibility gap. While 57% of CEOs believe they maintain strong visibility into supply chain security, only 30% of directors and 18% of team supervisors agree. Sixty-two percent of cybersecurity teams said they often receive that responsibility is their job alone.

  3. The shadow of artificial intelligence (AI). AI ranks as the top emerging risk in supply chain security. Fifty-nine percent of respondents expect it to drive the greatest increase in threat over the next year. Yet many organizations lack visibility into the use of AI by employees and attackers.


The research also discovered that businesses welcome increased regulation, with 90% confident that cybersecurity standards and policies reduce the risk of supply chain attacks. Yet, the introduction of more legal frameworks could make managing supply chains more complex for global businesses.


“Governments don’t share the same confidence in supply chain security as shown by business, prompting tighter regulations being introduced to combat these growing threats,” noted Katharina Sommer, group head of government affairs at NCC Group. “Legislation is still catching up with the pace of innovation and the global regulatory landscape is still fragmented. As we move to an even more connected world where supply chains overlap borders and governments, organizations must carefully navigate policies to minimize supply chain vulnerabilities and increase resilience.”

bottom of page