- 92 per cent of organisations trust that their suppliers follow cyber security best practices
- A third of businesses do not conduct regular risk assessments on suppliers
- 21 per cent believe they wouldn’t be affected if a key supplier was unable to operate for five days
- 41 per cent of UK businesses were confident about how they monitor and assess their suppliers’ cyber security practices
UK, 23 October 2025 – Businesses are overestimating their ability to respond to supply chain cyber attacks and their visibility over suppliers, according to new research from global cyber security firm NCC Group.
The State of Supply Chain Security report reveals that the vast majority (94 per cent) of businesses are confident in their ability to respond to a supply chain attack, despite the series of supply chain related attacks this year that have brought retail giants, major grocery suppliers and car manufacturers to their knees.
Surveying 1,010 cyber security decision makers globally on their views on the current state of supply chain security, the report revealed that 92 per cent of organisations trust that their suppliers follow cyber security best practices.
However, high trust levels could be leaving businesses and their supply chains vulnerable to threats, with the research showing that a third (34 per cent) are not regularly monitoring their suppliers or conducting risk assessments.
Despite businesses understanding that security threats are growing, with 68 per cent expecting attacks to become more severe in the next 12 months, the data suggests a lack of awareness about the impact that a supplier attack could have on day-to-day business operations. Surprisingly, a fifth (21 per cent) of organisations surveyed said they believe that they wouldn’t be affected if a key supplier was unable to operate for five days.
Mike Maddison, CEO of NCC Group said: “Global supply chains are the engine of modern business, so it is critical that their security is a priority for leaders, especially when global ransomware levels are at a record high this year. The outbreak of high profile supply chain attacks we have seen this year must be taken as a wake up call. These attacks have real world consequences, delaying medical procedures, grounding flights, leaving shelves empty and putting the economy and jobs at risk. In the face of such a threat, it is shocking that 92% of respondents trust their suppliers to follow cyber security best practices. Time and time again, threat actors are profiteering from this overconfidence, using straightforward techniques to access virtually unguarded supply chain networks.”
The research gathered responses from eight markets including Australia, Germany, the Netherlands, Singapore, Spain, The Philippines, the US, and the UK. Almost half (41 per cent) of UK businesses were confident in their ability to monitor and assess their suppliers’ cyber security practices, making the UK the second most confident market after the US (50 per cent).
However, confidence amongst UK businesses contrasts with concerns of supply chain visibility, with 67 per cent of UK businesses saying that they are worried about their level of supplier oversight, compared to the global average of 59.5 per cent. Responses were also gathered from eleven different industries and includes sentiment from the public and private sector, as well as across all levels of seniority.
Mike Maddison continued: “Although it is encouraging to see cyber security climbing up the boardroom agenda for organisations, overconfidence in supplier visibility, and the ability to react, is leading to complacency that we can no longer ignore. Security is only as strong as the weakest link in a supply chain. Organisations are severely overestimating their operational resilience, with 21% of respondents believing they wouldn’t be affected if a key supplier was unable to operate for five days - they are in for a rude awakening. Supply chain attacks threaten not only individual organisations, they are an economic risk at an international level. This report is a clarion call for organisations and governments to wake up to the realities of supply chain vulnerability, we must do more to increase economic resilience by proactively tackling these threats.”
The findings come as more stringent cyber security regulation has been introduced globally to boost resilience strategies. This includes the UK’s Cyber Security Resilience Bill, as well as the EU’s NIS2 Directive and the Digital Operational Resilience Act (DORA).
Increased regulation is welcomed by businesses, with 90 per cent confident that cyber security standards and policies reduce the risk of supply chain attacks. Yet, the introduction of more legal frameworks could make managing supply chains more complex for global businesses.
Katharina Sommer, Group Head of Government Affairs at NCC Group added: “Governments don’t share the same confidence in supply chain security as shown by business. Prompting tighter regulations being introduced to combat these growing threats. Legislation is still catching up with the pace of innovation and the global regulatory landscape is still fragmented. As we move to an even more connected world where supply chains overlap borders and governments, organisations must carefully navigate policies to minimise supply chain vulnerabilities and increase resilience.”
Read the report
About NCC Group
We’re a people powered, tech-enabled global cyber security and resilience company with over 2000 colleagues around the world.
For over 25 years we’ve been trusted by the world’s leading companies and Governments to manage and deliver cyber resilience, working together to create a more secure digital future.
We are proud to deliver important and groundbreaking projects for our clients.