Why supply chain cybersecurity still falls short and what leaders must do next

From the September-October 2025 edition of Supply Chain Management Review.

September-October 2025

This issue of Supply Chain Management Review explores the technologies, strategies, and leadership practices shaping next-generation supply chains. Features include Gartner’s 2025 Top 25 Supply Chains and an…

Browse this issue archive.

Access your online digital edition.

Supply chains rely heavily on digital technology to support interconnected global networks of suppliers, logistics providers, customers, and multiple other stakeholders. These technologies make modern supply chains possible, but they can also create vulnerabilities to cyberattacks. Global networks also mean that organizations must worry about their security and that of their partners as any link in the supply chain can be the target of an attack. Weaknesses can have a ripple effect, affecting multiple stakeholders and causing damage to other points in the chain.

In late 2024, APQC conducted a global survey of 2,500 cybersecurity professionals. The results show that supply chain leaders need to better understand supply chain vulnerabilities to cyberattacks, as well as the evolving nature of threats. Supply chain leaders are not expected to become IT leaders, but it is a reasonable expectation that they need to understand how supply chains are vulnerable to cyber attacks and how those threats are evolving. In addition, supply chain professionals need to take the lead on dealing with suppliers as a source of potentially devastating cyber risks that can disrupt their own businesses.

Timeliness measures are not encouraging

Cycle times matter in the supply chain, and cybersecurity is no different. The research reveals that organizations have a lot of room for improvement, however. Figure 1 shows how organizations perform on several measures related to the timing of critical cybersecurity actions.

• Average time in calendar days to detect cybersecurity incidents.
• Average time in calendar days to respond to and recover from cybersecurity incidents.
• Average number of calendar days to notify customers of a breach.
• Average annual number of calendar days to apply security patches after they are released.

The most alarming cycle time is the number of days organizations need to detect incidents. At the median, they need almost six months to detect when an intrusion has happened. Globally, this number is often reported to be even higher, depending on the source, at 200-plus days. During this time, a bad actor has access to organizational systems, can lurk and observe, and may engage in further damaging activities such as a whaling attack. This is a type of phishing attack with a potentially larger payoff that involves a criminal pretending to be a senior member of the organization to gain the trust of other staff and access to sensitive information.

Related infographic: Supply chain cybersecurity

Also disturbing is that organizations take a median of one month to notify their customers of a security breach. This is on top of the six months it takes to detect an incident, meaning that customers have potentially had their identities and assets at risk for seven months—long enough to strike a serious blow to customer trust in an organization.

Once an organization detects an incident, it takes a median of one and one-half months to respond to and recover from the security breach. The time needed is a result of multiple factors, depending on the type and severity of attack. For example, after a ransomware attack, it’s not as simple as getting the decrypter key and rebooting to recover. An organization must decrypt each system to restore affected files and then ensure the process has worked. The age of supply chain systems (some are frankly antiquated) can impact how long it takes for the restoration process to work, and systems can be reinfected if they are brought back up too soon. In some cases, impacted hardware has to be replaced. The recovery process can be a costly one, with downtime, data loss, and recovery activities all having associated expenses.

Organizations can mitigate the risk of cyberattacks due to known weaknesses by applying security patches to their systems. However, APQC found that organizations take a median of 28 days to apply patches once they’re released. This gives bad actors nearly a month to take advantage of a known security flaw. Many cybersecurity breaches result from unpatched vulnerabilities, so it is essential for organizations to decrease the time needed to install these front-line defenses.

 

Current spending is insufficient

Although cybersecurity presents a clear risk to supply chains, organizations’ spending on security is not keeping up. APQC’s research shows that at the median, organizations spend only 0.5% of their total revenue on cybersecurity. For a company with $2 billion in annual revenue, this means only $10 million goes to cybersecurity for both IT and operating technology such as that which enables the supply chain.

This is a small amount compared to what organizations spend on other critical processes. For example, they spend a median of 49.6% of their revenue on manufacturing, which for the hypothetical $2 billion organization would lead to a cost of almost a billion dollars. Ten million dollars hardly seems like enough to protect a manufacturing investment this large, let alone the rest of the supply chain and enterprise.

Steps leaders can take

Organizations can improve their cybersecurity readiness by identifying their vulnerabilities both within and external to the enterprise.

1. REVIEW YOUR VENDORS

The interconnected systems within supply chains mean organizations must be aware of their critical vendors’ security risks—their vulnerabilities are YOUR vulnerabilities. Supply chain leaders can gain a better understanding of this by increasing the percentage of vendors that have undergone security reviews. At the median, organizations report that they have reviewed 90% of their critical vendors. To have 10% be of unknown risk presents a potentially serious problem for supply chains. Organizations can start addressing this by leveraging the relationships built by their procurement professionals. Positioning increased cybersecurity as benefitting the partnership can motivate vendors to collaborate on security. A chain is only as strong as its weakest link.

2. SECURE DEVICES ON YOUR NETWORK

APQC also asked about the percentage of devices on organizational networks that have known vulnerabilities. As shown in Figure 2, both the median and the 75th percentile have 10%. Considering the number of devices that may be at an organization, this percentage could equal a large number of unsecured devices. And bad actors need only one entry point to gain access.

 

 These are devices with known vulnerabilities. On top of this, there are most likely devices with unknown vulnerabilities. One key step to address both known and currently unknown vulnerabilities is staying proactive on security patches, an integral part of any organization’s cybersecurity strategy.

3. ENGAGE IN CONTINUOUS IMPROVEMENT

As threats evolve, organizations must evolve their cybersecurity strategies. APQC has found that only 11% of organizations have fully implemented or optimized a continuous improvement program for cybersecurity. Evaluating vendors and securing the network are essential components for security, but regularly looking at whether the current actions are sufficient allows a company to be proactive in an ongoing effort to change as risks change.

4. INCLUDE PEOPLE AND CULTURE

People are the most important resource for any organization, but from a cybersecurity standpoint they can also be a great risk. Social engineering threats are on the rise and the tactics used by bad actors continue to get more sophisticated. As shown in Figure 3, at the median, 90% of employees have completed cybersecurity training in the past year. Organizations should build a culture that values cybersecurity by taking steps to increase the frequency and extent of training as threats evolve.

 

According to APQC’s research, only 20% of organizations have fully implemented or optimized a culture of security, with employees understanding their role in cybersecurity. On the other end of the spectrum, 27% of organizations have not taken any real action toward creating this culture. Making security an integral part of the company culture helps keep it top of mind for employees and seen as less of a burden. Companies that do not demonstrate that security is a priority can give their employees the impression that security is “someone else’s job.”

An essential component of employee training is education, specifically on social engineering or on bad actors using psychological manipulation to trick employees into divulging sensitive information or providing access to systems. So far only 21% of organizations have fully implemented this type of awareness training. Given that so many security breaches originate from these types of phishing attacks that initially target people versus the system, companies should be proactive in training employees on how to identify social engineering risks.

5. ADOPT RESILIENCE AND BUSINESS CONTINUITY PLANS

Many organizations have adopted a business continuity plan for cybersecurity that can help the business recover from an incident. According to APQC’s research, 70% have a plan fully implemented or optimized, and 28% are in the process of rolling one out. Although it is good news that organizations have plans to ensure they recover as fast as possible following an incident, they should also invest more in proactive training and cultural changes that can reduce cybersecurity risks.

Adopting AI and machine learning helps both sides

Some organizations are embracing AI as a tool for cybersecurity. As shown in Figure 4, more than half are starting to use device and user behavioral analytics to identify abnormal patterns. Nearly half are using AI or machine learning to analyze network traffic to identify unusual patterns.

 

Although this technology can be helpful in detecting potential risks, bad actors are also using AI to unleash more sophisticated attacks. One method in which they do this is through deepfakes, or fake audio, images, or video that mimic real people’s voices or appearance. These can be used to mimic a company’s senior leaders to gain access to sensitive information. Companies can combat these threats using tactics such as establishing code words that senior leaders use if a supply chain professional, for example, is unsure of the person making contact.

Add proactive to reactive

The reality is that organizations cannot completely eliminate all cyber threats, although they are much better positioned if they reduce their risk through proactive planning. Reviewing vendor security, protecting devices on the network, engaging in continuous improvement, adopting a security culture, and having a business continuity plan can reduce the risk of an incident and also mitigate the impact if an incident does occur. Another important proactive move is to conduct regular internal security assessments and audits against established frameworks such as ISO 27001 and the NIST Cybersecurity Framework.

An additional step that organizations can take is to invest in cyber insurance. This covers the financial losses resulting from incidents such as ransomware attacks and data breaches, as well as ransom payments and malware remediation. Cyber insurance policies often require the purchasing organization to take risk mitigation steps like ensuring data backups cannot be modified, installing patches, and using multifactor authentication.

An organization’s cybersecurity strategy must include multiple steps that work in tandem to protect the company and all the parties involved in the supply chain. A thoughtful, well-managed strategy combined with loss mitigation measures such as cyber insurance ensures that the organization can be both proactive to reduce risk and reactive to reduce loss.

Data in this content was accurate at the time of publication. For the most current data, visit apqc.org.

About APQC

APQC (American Productivity & Quality Center) is the world’s foremost authority in benchmarking, best practices, process and performance improvement, and knowledge management (KM). With more than 1,000 member organizations worldwide, APQC provides the information, data, and insights organizations need to support decision-making and develop internal skills. Learn more.

This content includes median values sourced from APQC’s Open Standards Benchmarking database. If you’re interested in having access to the 25th and 75th percentiles or additional metrics, including various peer group cuts, they are either available through a benchmark license or the Benchmarks on Demand tool depending on your organization’s membership type.

APQC’s Resource Library content leverages data from multiple sources. The Open Standards Benchmark repository is updated on a nightly cadence, whereas other data sources have differing schedules. To provide as much transparency as possible, APQC will always attempt to provide context for the data included in our content and leverage the most up-to-date data available at the time of publication.

SC
MR