Supply chain cyber risk strategies shift toward resilience

For years, cybersecurity was treated as an IT problem to be managed inside the four walls of the enterprise. That framing no longer holds. As supply chains become more digitally connected and increasingly dependent on third parties, cybersecurity has evolved into a core business risk that extends across suppliers, partners, and service providers.

According to Richard Watson, global cybersecurity leader at EY, third-party exposure remains one of the most persistent weaknesses in corporate cyber defenses. Most cyber incidents today, he noted, involve a supplier or external partner somewhere along the supply chain.

That exposure is no longer limited to data theft. State-sponsored and criminal attacks are increasingly capable of causing real-world operational disruption, shutting down factories, delaying transportation and logistics, and damaging physical assets. New EY data shows that 61% of companies experienced a third-party breach in the past year, underscoring how common and consequential those risks have become.

AI is accelerating both attacks and defenses

The rapid development of AI and agentic AI is reshaping the cyber threat landscape in ways many organizations are still struggling to manage. Watson described this evolution as a double-edged sword: attackers are using AI to generate more sophisticated malware and to identify corporate vulnerabilities faster, while defenders are beginning to use AI to shorten detection and response times.

While leading organizations are now able to detect and respond to attacks in as little as 5 to 10 minutes, Watson said attackers can still compromise systems in under a minute. “Hackers can get in in 52 seconds,” he said.

Complicating matters further, organizations are constrained by governance and regulatory requirements that slow defensive changes. Cyber criminals are not bound by those rules, Watson observed, while enterprises often face approval cycles that can take months. In the short term, that gives attackers an advantage.

At the same time, AI is becoming one of the most effective tools organizations have to narrow that gap. Automated detection, identity controls, and response actions such as revoking access or isolating systems are helping security teams reduce the time between intrusion and containment.

Why resilience is replacing prevention

One of the most important shifts Watson expects to see in 2026 is a move away from prevention-only strategies toward a stronger emphasis on resilience.

Rather than assuming attacks can always be stopped, organizations are increasingly planning for how they will recover when incidents occur. Watson said this shift reflects a growing recognition that the attack surface is expanding, driven by cloud adoption, AI, connected devices, and other emerging technologies, and that perfect prevention is no longer realistic.

“We think the pendulum will shift a little,” Watson said, noting that organizations are spending more time asking how quickly they can restore operations after an attack. “Resilience is about how you get the organization back online,” he noted.

Regulation is reinforcing that shift. In Europe, for example, the Digital Operational Resilience Act (DORA) is pushing organizations to demonstrate not only preventative controls, but also their ability to maintain operations through disruption. For supply chains, that focus on resilience translates directly into reduced downtime, faster recovery, and better protection of service levels.

Visibility and governance across the supply chain

If resilience is the objective, visibility is the prerequisite. Watson emphasized that organizations must understand who is in their supply chain, who has access to their data, and how that access is governed and monitored. As supply chains grow more complex, those questions are becoming harder to answer, particularly as companies rely on cloud platforms, third-party software, and AI-enabled tools.

Among the areas of greatest concern:

• Software updates, which can introduce vulnerabilities if compromised
• Third-party access, often broader than operationally necessary
• Open-source dependencies, embedded deep within commercial software ecosystems

Hidden dependencies, Watson noted, are often where risk emerges.

Practical controls for managing AI-era cyber risk

To address those challenges, organizations are strengthening foundational controls designed to limit exposure and reduce the impact of incidents when they occur.

One area of focus is software transparency. Many companies are now verifying the software they deploy using software bills of materials (SBOMs), allowing them to understand what components are embedded in applications and where vulnerabilities may exist.

Another is tightening system trust. Rather than granting broad access, organizations are moving toward minimum-access models, ensuring that users, suppliers, and AI systems only have the permissions required to perform specific tasks. Watson noted that AI systems require effective access to data and systems, which makes disciplined access control essential.

Continuous monitoring is also becoming more common. Instead of periodic assessments, leading organizations are using automated tools to monitor suppliers, data flows, and risk indicators on an ongoing basis, using AI to make that monitoring more scalable and cost-effective.

The human factor remains central

Despite advances in technology, the most common cyber risks remain familiar. Phishing still plays a role in roughly 90% of attacks, often serving as the entry point for ransomware or business email compromise, Watson said.

What has changed is how organizations manage human risk. Traditional training focused on teaching employees how to identify suspicious emails. Today, many companies are supplementing that approach with behavioral monitoring, tracking system access, data usage, and activity patterns to identify elevated risk earlier.

This shift reflects a more nuanced understanding of insider risk, one that looks beyond awareness to actual behavior.

What supply chain leaders should prioritize next

Looking ahead, Watson believes organizations best positioned to manage cyber risk will focus on three priorities:

• End-to-end visibility into supply chain partners and data flows
• Strong governance over access, software, and third-party risk
• AI-enabled monitoring and response, used defensively to counter AI-driven attacks

AI, Watson said, is inevitable, much like the shift to cloud computing was several years ago. The challenge is not whether organizations will adopt it, but how they will protect it with the right guardrails in place.

For supply chain leaders, that means treating cybersecurity not as a standalone technical function, but as a shared responsibility tied directly to resilience, continuity, and operational performance. The threat landscape may be accelerating, but so are the tools available to manage it, if organizations are willing to rethink where cybersecurity truly belongs.

SC
MR