Leading supply chain security firm Risk Ledger, has launched a new report revealing that supply chain cyber incidents continue to affect the vast majority of organisations, with 82% experiencing at least one incident in their supply chain during the past year.

Risk Ledger’s ‘Every Link Matters: The State of Supply Chain Security 2026’ report found that the threat is mounting. Nearly half of organisations (47%) experienced two or more supplier-related cyber incidents in the past year alone, highlighting the scale of the threat now facing businesses through their supply chains.

A quarter (25%) of organisations identified a lack of visibility into fourth- and fifth-party suppliers as the single biggest shortcoming in their current approach to third-party risk management – the most cited challenge of all those surveyed. Despite growing investment in cyber resilience, confidence in existing approaches remains limited, with many organisations still struggling to understand the dependencies supporting their critical business services.

“Traditional approaches to supply chain cyber security are no longer enough to deal with the speed and complexity of modern threats,” said Haydn Brooks, CEO and Co-Founder of Risk Ledger. “The fact that 93% of security leaders want an industry-wide model for sharing supplier intelligence tells you everything about where the market is heading. Organisations recognise that cyber resilience can no longer be achieved in isolation. However, businesses still lack visibility into dependencies, continuous insight and the collaborative mechanisms needed to identify risks before they escalate into operational disruption.”

Businesses lack confidence in current approaches

Businesses also lack confidence in their current approaches to supplier cyber security monitoring. Only 41% of organisations have fully automated, real-time monitoring of their direct suppliers’ security controls, while 54% rely on quarterly reviews or event-triggered updates.

This is slowing organisations’ ability to respond during a live cyber incident. Less than one in ten (9%) said they could map their full supplier exposure within four hours of a major attack, while more than half said it would take over a working day to understand whether they were affected.

On average, businesses take 1.9 days to map exposure across their supplier network following a major cyber incident, highlighting the gap between awareness of supply chain cyber risk and organisations’ ability to act quickly when an attack is already underway.

Traditional approaches are reaching their limits 

Traditional third-party risk management processes are struggling to deliver the speed, visibility and operational insights required to respond to modern supply chain attacks.

While 60% of organisations said traditional third-party risk management processes are somewhat effective, less than half of those organisations (28%) believe they are very effective. This marks a 9% year-on-year decline from 2025, when 37% believed traditional TPRM approaches were very effective. Confidence in existing models is continuing to weaken as threats evolve.

One in five organisations pointed to the inability to continuously monitor supplier security controls as a major limitation in their current approach. The findings show that while businesses understand the scale of the threat, their ability to manage it in real time has not kept pace.

As a result, businesses are increasingly moving towards Active Supply Chain Security (ASCS) – a continuous, network-first approach that replaces periodic assessments with real-time visibility and collective defence.

Collective defence: what the industry is asking for 

There is an overwhelming consensus across the industry, with 93% of organisations supporting an industry-wide collaborative model for sharing supplier cyber assurance and intelligence data.

However, nearly one in four (24%) organisations still cannot identify concentration risks across shared suppliers and subcontractors, creating blind spots when multiple organisations depend on the same critical third parties.

Supply chain cyber resilience cannot be solved by individual organisations operating in isolation, particularly as attackers increasingly target shared suppliers and interconnected digital networks.

“A collaborative model means businesses can continuously share assurance data, identify systemic vulnerabilities earlier and respond to threats collectively rather than individually,” said Brooks. “In practice, that creates a much more dynamic and resilient approach to supply chain security, especially when attacks can escalate across entire ecosystems within hours.”

To find out more, read the full report here.