The supply chain has become one of the most fragile points in corporate cybersecurity, but the problem is no longer just technical. It’s also human. Companies rely on dozens of software providers, cloud services, integrators, consultants, and contractors with access to internal systems. However, many lack enough qualified professionals to review, monitor, and govern this web of digital relationships.
The latest global report from Kaspersky, Supply chain reaction: securing the global digital ecosystem in an age of interdependence quantifies a tension that many security teams are already well aware of. 42% of organizations identify a shortage of qualified personnel as a top obstacle to protecting against supply chain attacks and trust-based relationships. The same percentage points out that other security priorities divert available resources.
This data is significant because supply chain attacks are not a marginal threat. According to the study, they were the most common type of cyberattack experienced by companies over the past 12 months, affecting 31% of organizations. Attacks based on trust relationships reached 25%. Despite this, only 9% of companies rank supply chain among the most dangerous threats, highlighting a disconnect and ongoing underestimation of the risk.
Many dependencies, few teams to control them
Modern businesses no longer operate in isolation. They use external software, SaaS platforms, public clouds, managed services, APIs, collaboration tools, maintenance providers, development partners, and specialized contractors. Each element may be necessary for operations but also expands the attack surface.
Kaspersky estimates that, on average, surveyed companies work with over 60 hardware and software providers. Additionally, contractors with access to internal systems typically range between 25 and 99, with an average of 72. Managing this volume requires inventory control, permission reviews, access controls, monitoring, audits, contractual clauses, response plans, and continuous oversight.
The problem is that many security teams are overwhelmed. They must handle ransomware, phishing, critical vulnerabilities, cloud incidents, compliance, endpoint security, identity, and AI threats—all while also assessing third parties. In practice, supplier security often gets trapped between procurement, legal, IT, and the SOC, lacking a dedicated function to manage it end-to-end.
| Report Indicator | Key Data |
|---|---|
| Organizations affected by supply chain attacks | 31% |
| Organizations affected by trust-based relationship attacks | 25% |
| Organizations needing to strengthen their protection | 85% |
| Organizations considering their current measures effective | 15% |
| Hardware and software providers per company | Over 60 on average |
| Contractors with internal system access | Average of 72 |
| Companies citing lack of qualified personnel | 42% |
The talent shortage impacts basic controls. Only 38% of organizations use two-factor authentication as a measure against supply chain and trust relationship risks. 37% include security requirements in vendor contracts, and 35% periodically review the cybersecurity posture of their contractors. These practices are well known but not widely implemented.
Even more concerning: only 28% evaluate the reliability of suppliers before engagement, and just 18% specifically verify their cybersecurity levels. Many companies still assess third parties based on price, solvency, reputation, or contractual capacity—rather than actual security of the systems connecting to their infrastructure.
The professional shortage turns risk into accumulated debt
Lack of specialists doesn’t just mean some tasks take longer. It leads to security debt. A supplier is onboarded without sufficient review. A service account retains overly broad permissions. An integration isn’t documented. Remote access remains active after a project ends. An incident reporting clause isn’t included in contracts. A critical supplier isn’t reevaluated for years.
Each small oversight may seem manageable individually. The problem arises when multiplied across dozens of suppliers and hundreds of accesses. Then, the supply chain stops being a list of third parties and becomes a trust network difficult to audit.
The report highlights other barriers worsening the issue. 39% of organizations point to the lack of legal cybersecurity obligations in supplier contracts—an issue also prominent in Spain. 32% say security-unaware staff don’t fully understand these risks. This dangerous combination: missing experts and a lack of security culture in procurement, contracting, and service deployment areas.
For a tech-focused audience, the message is clear: the market doesn’t just need more tools. It needs more skilled profiles capable of operating those tools, interpreting risks, negotiating requirements with vendors, and translating technical controls into business decisions. Ensuring supply chain security requires knowledge of identity, cloud, networks, architecture, compliance, risk analysis, contractual management, and incident response.
Automation yes, but not as a substitute for judgment
Talent shortages are pushing many companies towards more automated solutions: XDR, MXDR, NDR, threat intelligence, continuous monitoring, third-party scoring, or managed services. It makes sense. In environments with limited staff, outsourcing detection, investigation, and response can reduce response times and improve coverage.
However, automation doesn’t solve the underlying problem. A tool can detect anomalous behavior, correlate events, or monitor compromised credentials. But it can’t always decide which supplier is critical, which access to revoke, which contractual clause is missing, or which dependency to accept for business reasons. Human judgment remains essential.
Kaspersky advocates for a layered defense: evaluate suppliers before contracting, include security obligations in agreements, enforce least privilege and zero trust, strengthen identity management, continuously monitor, enhance network visibility, leverage third-party digital footprint intelligence, and develop specific response plans for supply chain incidents.
| Critical Area | What’s Required |
|---|---|
| Tech procurement | Cybersecurity evaluation before contracting |
| Legal and compliance | Security clauses, audits, incident management |
| IT and architecture | Inventory of integrations and accesses |
| SOC | Monitoring third-party activity |
| Identity | Least privilege, MFA, regular review |
| Leadership | Prioritized budget and risk governance |
The key isn’t just ticking off a checklist. Checking an ISO certificate, requesting a pentest, or reading a security policy is helpful but insufficient if it’s not followed by continuous monitoring, permission reviews, and response capabilities. Supply chain security isn’t a static snapshot before signing a contract. It’s an ongoing discipline.
Cybersecurity as a competitive advantage
One of the most interesting findings in the report is that 69% of organizations would be willing to share cybersecurity costs with their contractors if it helped ensure greater protection, and 25% already do so. This reflects a mindset shift: in some cases, demanding security from a critical supplier isn’t enough; companies will need to help them achieve it.
This can be especially relevant for small providers delivering essential services to large corporations. A tech SME might have specialized knowledge but limited capacity to maintain a mature security team. If that SME becomes a critical link, the client side can choose to either accept the risk or collaborate to mitigate it.
Supply chain cybersecurity will shift from being a compliance requirement to a business criterion. Companies demonstrating good practices, transparency, and responsiveness will gain a competitive edge. Being a secure supplier will eventually matter as much as being cost-effective, fast, or functional.
Therefore, the lack of professionals isn’t just an internal security concern; it’s a limitation across the entire digital ecosystem. Without enough talent, companies can’t properly evaluate third parties; providers can’t meet increasingly demanding requirements; and incidents spread more easily.
Kaspersky’s report sends a clear message to the industry: supply chain has become one of the main attack vectors, yet organizations still don’t allocate enough personnel, processes, or priority. In a world where everyone depends on everyone else, cybersecurity talent shortages impact not just individual companies but the entire network.
FAQs
Why is there a shortage of cybersecurity professionals managing suppliers?
Because third-party security requires roles capable of combining technical, legal, risk, cloud, identity, monitoring, and incident response expertise. Many companies already have saturated teams with other priorities.
What’s the risk of not properly reviewing suppliers?
A compromised account, misconfigured cloud environment, unpatched vulnerability, or excessive permissions can become an entry point into the client company.
What basic measures should be implemented?
Supplier and access inventories, MFA, least privilege, security clauses in contracts, pre-contract assessments, continuous monitoring, and response plans including quick disconnection of third parties.
Can automation compensate for the lack of talent?
It can help—especially with solutions like XDR, MXDR, NDR, and threat intelligence—but it doesn’t replace the human judgment needed to prioritize risks, negotiate clauses, and make business decisions.
Source: Open Security