5 risk factors from supply chain interdependencies in a complex cybersecurity landscape

In its Global Cybersecurity Outlook 2025, the World Economic Forum identifies supply chain interdependencies as a leading factor in the increasing complexity of cyberspace in 2025. Named the top ecosystem cyber risk, supply chain vulnerabilities are the primary barrier to cyber resilience for 54% of large organizations.

Five core factors account for the complexity and risk arising from supply chain interdependencies.

Ecosystem resilience is often determined by its weakest link. The Forum's report highlights that while large organizations have recorded an increase in cyber resilience over 2024, smaller organizations continue to bear the weight of inequity, with 35% stating insufficient cyber resilience.

To ensure a resilient cyber ecosystem, it is essential that smaller organizations are not left behind in meeting security standards due to a lack of resources compared to their larger counterparts. SMEs must view cybersecurity as a business problem and make strategic choices to enhance their resilience. Additionally, government policies and industry collaboration can help narrow the skills gap and promote cybersecurity education and awareness. By supporting smaller organizations in meeting security standards, larger, resource-rich organizations can strengthen the entire network’s security, ensuring a more resilient cyber ecosystem.

As supply chains expand, organizations find it increasingly difficult to maintain complete oversight of their suppliers’ security maturity. The growing attack surface and system interdependencies amplify the scope for potential attacks and damage.

Furthermore, it is increasingly difficult to enforce security standards on suppliers. The Forum's report highlights that Chief Information Security Officers (CISOs) identify their main challenge to effectively implementing cyber regulations is ensuring third-party compliance. Whereas heavily regulated industries are making progress in gaining visibility on their suppliers, the incentive is currently missing for less regulated industries, leaving the ecosystem increasingly vulnerable.

In today's interconnected cybersecurity landscape, the complexities of software supply chain interdependencies are significant. As supply chains expand, new entities often introduce vulnerabilities, especially when third-party compliance is challenging to verify or when open-source code is used.

The rapid adoption of artificial intelligence (AI) adds to this complexity, with only 37% of organizations having processes to assess AI tool security before deployment. This lack of safeguards, particularly among 69% of smaller organizations, reveals a broader threat landscape as it risks the introduction of vulnerabilities not only into individual IT estates but also those of the entire ecosystem.

Regulations like the EU’s AI Act aim to enhance AI security, but organizations must take a proactive approach to building resilience. KPMG’s Global Tech Report 2024 emphasizes the need for a comprehensive framework to establish trusted safeguards throughout the AI lifecycle. This framework's key elements include secure coding practices, code reviews and testing to protect against risks such as backdoor attacks, data poisoning and model evasion.

The reliance on a limited number of critical providers introduces systemic points of failure within supply chains. Vulnerabilities in these providers can impact not only their direct customers but also the thousands of organizations and subsequent supply chains that depend on them. Cloud providers exemplify this risk, as their dominance means any disruption can cascade across numerous supply chains and ecosystems.

While providers are responsible for secure software development, the Forum’s report emphasizes that CISOs and organizations must build resilience to mitigate interdependency risks. Modern IT architectures, composed of smaller, interconnected services, make it difficult to fully understand all dependencies and potential impacts of faults or outages.

KPMG stresses the importance of effective business continuity planning to prevent, respond to and recover from operational disruptions, ensuring essential functions and core revenue-generating processes are sustained. CIOs must build a resilient technology stack and IT operating model to manage unexpected business challenges and maintain process integrity. These measures are crucial for mitigating risks from dependencies on critical providers and third parties, decreasing complexity in cyberspace by increasing the stability and reliability of interconnected systems and services.

Cyber risks are increasingly influenced by geopolitical factors, with attacks often crossing national boundaries. The Forum’s report found that nearly 60% of organizations' cyber strategies are influenced by geopolitical tensions, with 16% changing vendors.

Global supply chains face significant disruptions due to geopolitical tensions by limiting access to skilled labour, essential materials and advanced technologies. Trade barriers and shifting alliances cause delays and shortages, especially in industries reliant on complex, interconnected networks. These disruptions slow production, hinder innovation and heighten vulnerabilities worldwide.

The tools used in cyber breaches are also shaped by geopolitical tensions. Rising tensions lead to escalated cybercrime, with lower-level criminals quickly adopting left-behind war machinery. This escalates the threat to and complexity of global supply chains, not only through the impact of geopolitical actors and tensions but also using high capability weapons by cybercriminals.

Organizations must proactively tackle the complexities and risks stemming from supply chain interdependencies. In an era of growing cyber risks, prioritizing visibility on supply chains will ensure organizations are better positioned to safeguard their digital infrastructure and protect digital assets through improved capabilities such as threat detection and incident response. Such a proactive approach is crucial to managing complexity in cyberspace.

Building resilience involves not only securing their own systems but also supporting smaller partners in the supply chain. Effective business continuity planning, robust IT asset management and adherence to regulatory standards are essential. By fostering collaboration and investing in cybersecurity education, organizations can enhance the overall security of the ecosystem. This proactive approach will mitigate vulnerabilities, reduce the impact of disruptions and ensure a stable and reliable cyberspace for all stakeholders.