Cyber Risks Threaten Resilience in Digital Supply Chains

Digital transformation continues to reshape industries, but as businesses embrace new technologies and deepen their reliance on interconnected systems, cyber threats within the supply chain emerge as a significant risk.

Bitsight’s new report, Under the Surface: Uncovering Cyber Risk in the Global Supply Chain, places a sharp focus on the security weaknesses underpinning modern supply chain networks and reveals the consequences of limited visibility and underinvestment in cybersecurity.

By tracking more than 61 million digital supply chain relationships, spanning 40,000 products, 500,000 organisations and 12,000 service providers, the report illustrates the scale of hidden risk.

Cybersecurity and supply chain resilience, the report suggests, are now fundamentally linked – and many organisations are not adequately prepared.

Ben Edwards, Principal Research Scientist at Bitsight, puts this in context: "Given the current changes in the geo-political landscape supply chain risks are increasingly important.

"Our research indicates that certain Chinese firms maintain a substantial presence within the US and global digital infrastructure. Understanding these dependencies is a critical step in assessing systemic risk and developing strategies to enhance resilience."

Concentration of providers intensifies exposure

Bitsight's study identifies both industry-specific and geographic concentration risks. These occur when a single provider dominates a particular market segment or region, amplifying the consequences of any disruption.

For example, Aptiv Group serves 54.6% of the aerospace and defence sector, while MedridianLink works with 28.3% of the credit union industry. This level of concentration means that even limited operational issues could create outsized effects for critical industries.

Geographic reliance creates additional national-level vulnerabilities. PowerSchool, which holds less than 1% of global market share in education technology, still serves 20.4% of the UAE education sector. Similarly, Etisalat controls just 1.14% of the global telecommunications market but dominates 76.5% of the UAE’s market.

These examples illustrate how localised overreliance on a single provider can place infrastructure at risk, especially when cybersecurity standards are not robust. 

Such levels of dependency, whether sector-based or geographic, underline the urgent need to address cybersecurity in supply chain networks. The report makes it clear that overconcentration without proper risk management can result in high-impact failures.

Providers often lag in cybersecurity

When measuring security performance, Bitsight uses 22 risk vectors to assess vulnerabilities like open ports, insecure systems and outdated encryption protocols such as TLS. Providers are found to underperform consumers in 16 of these categories, raising serious concerns about the state of cybersecurity within core digital infrastructure.

Bitsight’s analysis draws attention to a concerning pattern: widely used providers, including payment processors, manufacturers and SaaS platforms, often fall short in key security areas. Many suffer from persistent problems such as unpatched systems and insecure configurations.

According to the findings, these providers are not only more exposed but often lack visibility into their risks, making them attractive targets for cybercriminals and threatening the broader digital supply chain.

The report suggests that many such organisations underinvest in cybersecurity despite their central role in the global supply network.

A strong correlation is noted between poor cybersecurity and market share – providers with larger market footprints often exhibit more significant weaknesses, increasing the potential fallout from a breach.

Increasing visibility is key to cyber resilience

Bitsight’s report concludes with a call to strengthen risk management and increase transparency across digital supply chains.

As supply networks evolve into intricate, interconnected ecosystems, traditional linear models of oversight no longer apply. Third, fourth and even further party risks must be continuously monitored.

The firm stresses that future resilience depends on embedding cybersecurity across all layers of the supply chain. Without proactive oversight, hidden weaknesses can lead to widespread operational and security failures.

The message from Bitsight is clear: organisations can no longer afford to treat cybersecurity as an isolated IT issue – it is now central to supply chain integrity.

In an environment where cyber risks continue to evolve and grow, firms must adapt or risk being caught unprepared.

Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today. 

Cyber Magazine is a BizClik brand