Are you or your managed services clients concerned about third-party risk? You’re not alone.
A new survey from ISC2, a member association for cybersecurity professionals, finds that organizations of all sizes struggle with lack of visibility across their network of third-party vendors and partners, with 70% of respondents highly concerned about cybersecurity risk in their supply chain.
And it’s not just large enterprises; 57% of respondents from both small and medium organizations share this level of concern. It’s not unfounded. The ISC2 2025 Supply Chain Risk Survey finds that 28% of respondents’ organizations experienced a cybersecurity incident originating from a third-party vendor/supplier in the past two years.
Notably, organizations that provide software, digital services, or managed solutions to other businesses are more likely to express concern compared to those that do not (72% are very or extremely concerned vs. 65%, respectively).
If your clients are in financial services, military contractors, and healthcare, which rely on third-party supply chains, they are highly concerned too.
Challenges to Securing the Supply Chain
Respondents say the key challenges to securing the supply chain are lack of visibility, transparency, or control of suppliers. Many are not aware of their vendors’ vendors, or of all the possible points of entries that exist when multiple players are involved.
Nearly two-thirds of respondents point to data breaches as the most disruptive cybersecurity threat (64%) to their organization’s supply chain. Malware or ransomware ranks second (52%), followed by software vulnerabilities in supplier products (51%). Significantly, supply chain threats are not necessarily external ones; 29% rank insider threats from vendors as being disruptive for their organizations.
Proactive Steps
Risk assessment of a supplier or suppliers down the chain can help identify and mitigate vulnerabilities. The research finds that 70% of organizations conduct third-party risk assessments on a regular schedule, such as at the time of contract renewal or annually. Additionally, 49% of organizations take a close look during initial evaluation/onboarding, 26% when incidents have occurred, and 25% when monitoring tools alert them to a third-party threat.
However, the research notes that organizations that evaluate supply chain vendors only during initial onboarding may have a false sense of security based on a one-time snapshot of the supplier’s processes.
Other steps organizations are taking to ensure suppliers’ security practices include compliance requirements with standards such as ISO 27001, NIST, and SOC 2 (77%), followed by security audits/attestations/assessments (71%), multifactor authentication/secure access protocols (62%), and incident response and breach notification procedures (61%). Only 5% said their organizations do not require any controls.
Among organizations that provide software, digital services or connected managed services to other organizations, a large majority (83%) report having formal incident response policies with detailed communication plans and timelines to notify customers in the event of a breach or cybersecurity incident. Only 6% say their organization does not have formal IR policies, while 11% are not sure.
Recommendations for Bolstering Supply Chain Security
ISC2 recommends implementing the following to mitigate supply chain risk:
- Third-party risk assessments, including vulnerability scans and misconfigurations checks.
- A zero-trust architecture, providing constant verification that each person is where they should be and accessing only what they need and are authorized to access—from on-premises to cloud.
- Vendor contract reviews, ensuring that a good contract with clear deliverables and expectations is part of a cybersecurity defensive strategy.
- Cybersecurity skills development for your staff.
The Bottom Line: Visibility Is the New Security Advantage
Third-party risk isn’t going anywhere—and for most organizations, it’s only becoming more complex. As supply chains grow, software stacks deepen, and vendors rely on their own vendors, visibility becomes both harder to achieve and more essential to maintain.
For MSPs and their clients alike, the path forward is clear: continuous assessment, stronger contractual safeguards, zero-trust principles, and ongoing skills development. Organizations that proactively manage these layers of defense won’t just reduce risk, they’ll build the resilience and trust today’s interconnected ecosystem demands.
For more on supply chain cybersecurity, see How MSPs Can Lead the Shift from Reactive to Resilient for Supply Chain Clients
