Uncovering Cyber Risks in the Global Supply Chain

No organization can achieve its goals on its own. To truly get ahead in the rapidly transitioning digital society, any organization will need a diverse group of partners who specialize in the products and services they do not. Commonly referred to as a “supply chain” this web of connections ensures the world operates smoothly, but navigating its many connections is challenging. 

Luckily, Bitsight TRACE doesn’t shy away from a challenge. Drawing on Bitsight data from a variety of sources—including third-party relationships, our security scanning technologies, entity mapping, and financial data—we recently completed a new report that offers one of the most comprehensive pictures of what the global, digital supply chain looks like.

Unpacking the size and complexity of the supply chain

Consider the network diagram below: here is only a small fraction (0.064%) of the global supply chain and its connections, each point is a different organization colored by their industries (black being the tech sector and the most highly represented), and sized by their relative importance in the global economy. Even a keyhole view makes it clear how underappreciated the global supply network’s complexity is.

But navigate this complexity we must, because within those connections are systemic risks to all organizations. Some of the most severe, recent newsmaking incidents were as important as they were because they impacted the global supply chain, including the Kaspersky (June 2024), Snowflake (May 2024), and Crowdstrike (July 2024) incidents.

That’s why Bitsight TRACE has taken a deep, data-driven dive into this topic to produce a report designed to help organizations better understand and approach the security risks posed by these myriad connections. The new research report, “Under the Surface: Cybersecurity Risks within the Global Supply Chain,” is full of illuminating facts:

1. Supply chains are vast. We find that a typical organization employs hundreds of products from dozens of providers.
2. Providers have 2.5x larger supply chains compared with the consumers they serve. The providers we observe in our data set tend to have larger supply chains compared with their consumer customers. With a larger attack surface to defend, providers tend not to perform as strongly as consumers.
3. There are several areas of concentrated risk across the supply chain. In some industries, providers who serve <1% of companies service more than 50% of the market share (based on their clients’ revenue).
4. 33% of US organizations rely on companies listed by the US Department of Defense as “Chinese Military Companies.” In the current geopolitical zeitgeist, it is more important than ever to understand “who” is in your supply chain.
5. We highlight the “Critical 99,” the top 99 providers in the global supply chain based on market share. There are hidden pillars in the global supply chain that provide services to a large portion of certain markets’ revenue.

Who are these critical 99?

Understanding critical provider security

Many of our findings will come as no surprise, but some might raise some eyebrows. You’ll have to dive into the full report to find out who the hidden pillars are, or those under-represented among companies but with a big part to play in the global supply chain.

The full report contains information not just on who is important in the global supply chain, but also examines their security posture, showing that the bigger the provider, the greater the challenge they face. But perhaps most importantly, it contains information on how your organization can manage risk and find a sense of belonging in this complex network that is the global supply chain. Our research expounds on the importance of knowing the depth and breadth of your own supply chain, understanding which suppliers are critical, knowing the security posture of those critical suppliers, and knowing your own criticality to others. With the data and expertise contained in this report, you’ll be better prepared to tackle the complexities of the digital supply chain.