{"id":7909,"date":"2026-06-18T22:55:31","date_gmt":"2026-06-18T21:55:31","guid":{"rendered":"https:\/\/riskstudio.com\/blog\/verizon-dbir-2026-supply-chain-risk-reaches-record-high\/"},"modified":"2026-06-18T23:10:42","modified_gmt":"2026-06-18T22:10:42","slug":"verizon-dbir-2026-supply-chain-risk-reaches-record-high","status":"publish","type":"post","link":"https:\/\/riskstudio.com\/en\/blog\/verizon-dbir-2026-supply-chain-risk-reaches-record-high\/","title":{"rendered":"Verizon DBIR 2026: Supply Chain Risk Reaches Record High"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong>Suppliers have now become one of the greatest cyber risks for organizations.<\/strong> According to the Verizon Data Breach Investigations Report (DBIR) 2026, a third party was involved in 48% of all investigated data breaches. This is a massive increase compared to 30% in 2025 and only 15% in 2024. <\/p>\n\n<p class=\"wp-block-paragraph\">The message is clear: organizations can no longer assess their cyber resilience solely based on their own security measures. The security of suppliers, software vendors, cloud providers, and other external parties is now just as important. <\/p>\n\n<h2 class=\"wp-block-heading\">The supply chain is the new attack surface<\/h2>\n\n<p class=\"wp-block-paragraph\">The DBIR figures show a trend that has been visible for several years. Attackers are increasingly targeting suppliers because they can gain access to multiple organizations simultaneously through a single successful attack. <\/p>\n\n<p class=\"wp-block-paragraph\">The development is striking:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>2024: 15% of data breaches involved a third party.<\/li>\n\n\n\n<li>2025: This doubled to 30%.<\/li>\n\n\n\n<li>2026: Another increase to 48%.<\/li>\n<\/ul>\n\n<p class=\"wp-block-paragraph\">In other words: nearly one in two data breaches now originates via a supplier, software component, cloud environment, or other external party.<\/p>\n\n<p class=\"wp-block-paragraph\">For many organizations, this means that their greatest cyber risk lies outside their own network.<\/p>\n\n<h2 class=\"wp-block-heading\">Why is the risk rising so rapidly?<\/h2>\n\n<p class=\"wp-block-paragraph\">There are several causes for this development.<\/p>\n\n<h3 class=\"wp-block-heading\">More dependencies than ever<\/h3>\n\n<p class=\"wp-block-paragraph\">Organizations use dozens to hundreds of SaaS solutions, cloud platforms, software libraries, IT service providers, and external partners. Every new connection creates an additional attack opportunity. Whereas organizations used to manage their own infrastructure, the modern digital environment consists of an extensive ecosystem of suppliers and sub-suppliers.  <\/p>\n\n<h3 class=\"wp-block-heading\">Attackers choose the weakest link<\/h3>\n\n<p class=\"wp-block-paragraph\">Cybercriminals know that large organizations are often well-protected. Therefore, they look for suppliers with less mature security. A successful attack on a single supplier can then provide access to dozens or even hundreds of customers. Well-known examples from recent years show that software vendors, cloud platforms, and managed service providers are increasingly being used as a springboard to larger targets.   <\/p>\n\n<h3 class=\"wp-block-heading\">Trust is being exploited<\/h3>\n\n<p class=\"wp-block-paragraph\">Many suppliers have access to their customers&#8217; systems, data, or processes. When a supplier is compromised, attackers can often exploit existing trust relationships. Furthermore, many investigated incidents showed that insufficient authentication, missing MFA, or overly broad access rights played a significant role.  <\/p>\n\n<h2 class=\"wp-block-heading\">Even more concerning signals from the DBIR 2026<\/h2>\n\n<p class=\"wp-block-paragraph\">The increase in supply chain incidents is not an isolated event. Other findings from the report reinforce the view that organizations must better manage their risks outside their own perimeter. <\/p>\n\n<h3 class=\"wp-block-heading\">Vulnerabilities are now the primary access method<\/h3>\n\n<p class=\"wp-block-paragraph\">For the first time in DBIR history, exploiting vulnerabilities (31%) has become more significant than stealing passwords as an initial attack method. This is relevant for supply chain security because organizations depend on the speed at which suppliers resolve vulnerabilities. <\/p>\n\n<h3 class=\"wp-block-heading\">Only a quarter of critical vulnerabilities are resolved<\/h3>\n\n<p class=\"wp-block-paragraph\">According to the report, only 26% of known actively exploited vulnerabilities were fully remediated in 2025. At the same time, the average time to remediate vulnerabilities rose to 43 days. When suppliers lag behind in patching, it creates an immediate risk for their customers.  <\/p>\n\n<h3 class=\"wp-block-heading\">Ransomware continues to grow<\/h3>\n\n<p class=\"wp-block-paragraph\">Ransomware was present in 48% of all investigated data breaches. As such, ransomware remains one of the most common forms of attack. A ransomware attack on a critical supplier can lead not only to data loss but also to operational disruptions for all connected customers.  <\/p>\n\n<h2 class=\"wp-block-heading\">What does this mean for organizations?<\/h2>\n\n<p class=\"wp-block-paragraph\">The figures from the Verizon DBIR make it clear that traditional supplier assessments are no longer sufficient. An annual questionnaire or occasional audit only provides a snapshot, while cyber risks change daily. Organizations need:   <\/p>\n\n<ul class=\"wp-block-list\">\n<li>Continuous insight into the digital resilience of suppliers.<\/li>\n\n\n\n<li>Monitoring of vulnerabilities and exposed systems.<\/li>\n\n\n\n<li>Notifications of data breaches, ransomware incidents, and other cyber incidents.<\/li>\n\n\n\n<li>Insight into critical dependencies within the supply chain.<\/li>\n\n\n\n<li>Prioritization of suppliers that are essential for business processes or crown jewels.<\/li>\n<\/ul>\n\n<p class=\"wp-block-paragraph\">This is precisely why focus is increasingly shifting from Vendor Risk Management to continuous Supply Chain Monitoring.<\/p>\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n<p class=\"wp-block-paragraph\">The Verizon DBIR 2026 confirms a trend that can no longer be ignored: cyber risk is increasingly shifting toward the supply chain.<\/p>\n\n<p class=\"wp-block-paragraph\">While in 2024 only 15% of data breaches involved a third party, this has risen to 48% in 2026. Nearly half of all data breaches now originate via suppliers, software vendors, or other external parties. <\/p>\n\n<p class=\"wp-block-paragraph\">For organizations looking to improve their cyber resilience, this means that securing their own environment is no longer enough. Insight into suppliers, dependencies, and external risks has become an essential part of modern risk management. <\/p>\n\n<p class=\"wp-block-paragraph\">Those who do not monitor their supply chain are only managing a portion of their cyber risk.<\/p>\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Suppliers have now become one of the greatest cyber risks for organizations. According to the Verizon Data Breach Investigations Report (DBIR) 2026, a third party &#8230; <a title=\"Verizon DBIR 2026: Supply Chain Risk Reaches Record High\" class=\"read-more\" href=\"https:\/\/riskstudio.com\/en\/blog\/verizon-dbir-2026-supply-chain-risk-reaches-record-high\/\" aria-label=\"Read more about Verizon DBIR 2026: Supply Chain Risk Reaches Record High\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":7910,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[],"class_list":["post-7909","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-topicality","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/posts\/7909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/comments?post=7909"}],"version-history":[{"count":1,"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/posts\/7909\/revisions"}],"predecessor-version":[{"id":7911,"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/posts\/7909\/revisions\/7911"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/media\/7910"}],"wp:attachment":[{"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/media?parent=7909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/categories?post=7909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/riskstudio.com\/en\/wp-json\/wp\/v2\/tags?post=7909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}