While the majority of organizations across industries evaluate the security maturity of their suppliers (66%) and involve the security function in procurement processes (65%), significantly fewer adopt more advanced resilience measures. Only 27% simulate cyber incidents or conduct recovery exercises, and a mere 33% comprehensively map their supply chain ecosystems to gain a deeper understanding of cyberthreat exposure and interdependencies. These survey results denote that supply chain risk management is often treated as a compliance checklist rather than as a dynamic, continuous process. Existing regulations typically establish only a minimum-security baseline, which may be insufficient to address rapidly evolving threats. A key challenge lies in incentivizing both organizations and their suppliers to strengthen cyber resilience. Smaller vendors frequently lack the resources to implement robust security measures, while buyers may still prioritize cost and efficiency over security when choosing partners. This imbalance creates persistent exposures, as attackers tend to exploit the weakest links within the supply chain. Cyber resilience is no longer confined to individual organizations; it depends on the strength of our entire ecosystem. By embedding cybersecurity across supply chains, sharing intelligence transparently and aligning public–private efforts, we can build a trusted digital foundation that supports innovation, stability and sustainable economic growth. Mohamed Al Kuwaiti, Head of Cybersecurity, United Arab Emirates Government 40% 20% 80% 60%We assess the security maturity of our suppliers We involve our security function in the procurement process We share information on threats with our ecosystem partners (i.e. customers, suppliers, etc.) We map our ecosystem in detail to understand where we or our partners are exposed to cyber threats We align our cyber resilience strategy among our ecosystem partners We simulate cyber incident and/or plan recovery exercises with our ecosystem partners 0% Responses (%)How does your organization address supply chain cyber risk? (select all that apply) 27%33%33%38%65%66%How organizations address supply chain risk FIGURE 38 Adequate crisis management and recovery planning is essential to limit the impact of a cyber breach when it happens. For example, in the aftermath of the attack on Japanese beer manufacturer Asahi in October 2025, essential IT services were brought down, forcing staff to revert to pen and paper to maintain critical operations such as inventory tracking and manual checks of control data.43 Concentration of risk The growing dependency on a small number of critical digital providers remains a concern for cyber leaders, as it amplifies concentration risk across the ecosystem. A single vulnerability in a critical service provider may cause cascading impacts felt across the globe. The increasing use of internet of things (IoT) devices and cloud-based services is expanding the attack surface and introducing new vulnerabilities, especially when these technologies are integrated into supply chains or vendor ecosystems without adequate security controls. Survey data highlights this risk: cloud technologies are identified as the second most impactful technology for cybersecurity in 2026, after AI. Global Cybersecurity Outlook 2026 47