A wave of high-profile cyberattacks exploiting weaknesses in supply chain partners is prompting heightened concerns among corporate leaders over third-party cybersecurity risks, according to a new survey from Ernst & Young (EY).

More than half of the organizations polled, spanning industries from finance to manufacturing, reported suffering a material incident stemming from a third-party relationship in the past two years. Despite these experiences, only about 29% said they were ‘very confident’ in their ability to detect and mitigate risks within their digital supply chain, the global survey of 500 senior cybersecurity executives found.

This growing unease comes as hackers increasingly target the complex network of vendors, contractors and suppliers that form the operational backbone of modern enterprises. Attackers, experts say, often look for the weakest link, which is frequently a less-secure third party with access to sensitive data or infrastructure.

“You’re only as strong as your most vulnerable supplier,” Matt Chambers, EY Americas Cybersecurity Leader, said in an interview. “Organizations have spent years hardening their internal defenses, but adversaries are relentless in probing the edges — and that often means partners.”

The survey underscores that supply chain vulnerabilities are now at the top of the boardroom agenda. Respondents labeled third-party threats as their most significant cyber risk, ahead of ransomware, insider threats, and direct attacks on enterprise systems.

Despite the heightened threat, the survey paints a picture of uneven progress in managing supply chain-related risk. While around 68% of companies require their vendors to comply with cybersecurity standards or complete assessments, less than half said they verify these standards are being met on an ongoing basis.

“Trust, but verify is the new imperative,” said Chambers. “A once-a-year check simply isn’t sufficient in this environment.”

Third-party incidents can have costly and wide-reaching impacts. The 2020 SolarWinds hack, for example, enabled cybercriminals — believed to be state-sponsored — to compromise a host of U.S. government agencies and Fortune 500 firms by targeting a widely-used network management product. More recently, ransomware criminals have leveraged software vendors and managed service providers to gain entry to multiple organizations simultaneously.

Legal and regulatory pressure is mounting as well. U.S. authorities, including the Securities and Exchange Commission, have imposed new rules requiring public companies to disclose material cyberattacks in a timely manner, including incidents involving vendors or supply chain partners.

To close the gap, companies are ramping up investment in automated monitoring tools, contractual requirements, and collaboration with suppliers on joint risk management, the survey showed. Still, many struggle to keep pace with the proliferation of vendors — large companies now have relationships with thousands of third parties, each representing a potential vector for cyber intrusion.

EY’s report also stressed the importance of consolidating vendor portfolios and prioritizing risk assessments based on criticality. “You can’t manage what you can’t see,” Chambers noted. “Visibility and real-time intelligence across your third parties are critical to staying ahead of the threat.”

For most organizations, eliminating third-party risk entirely is impossible — but diligent oversight and continuous defense, experts say, can help prevent a weak link from becoming a costly breach.

“We’re all in this together,” Chambers said. “When one partner gets hit, the ripple effects can be immense.”