Supply chain attacks have emerged as the most common cyberthreat facing businesses globally, with companies in Asia Pacific (APAC) also recording supply chain attacks as one of the top few most commonly experienced threats over the past year, a new Kaspersky global study shows. The findings reveal that globally, almost 1 in 3 companies had to confront a supply chain threat in the past year. Notably, supply chain risk exposure exceeded the global average in countries like China, signalling the need for heightened cyber defences across the region.
According to recent data from the World Economic Forum, nearly two thirds (65%) of large enterprises indicate third-party and supply chain vulnerabilities as their greatest barriers to cyber resilience in today’s interconnected digital landscape. To evaluate organisations’ vulnerability to this threat, Kaspersky’s internal market research center commissioned a global study examining how these risks are evolving and the extent to which businesses around the world are being exposed.
Supply chain attacks
According to the Kaspersky-commissioned survey, 31% of enterprise businesses globally had been impacted by a supply chain attack in the past 12 months, which is more than any other type of cyberthreat. This threat is equally prevalent in APAC, with two fifths of businesses in China having experienced a supply chain attack over the past year – 9% higher than the global average, and highest in the region. This is followed by Vietnam (34%), India (29%), Singapore (26%) and Indonesia (20%).
The supply chain threat is acutely focused on the most connected organisations, with large enterprises reporting the highest rate of experienced attacks (36%) compared to counterparts from low and mid-size enterprise. It is noteworthy that it is the same group of high enterprises that reports having the highest mean number of software and hardware suppliers, managing on average around 100 suppliers, which evidentially creates a vast potential attack surface. On top of that, organisations admit to granting access to their organisations’ systems to dozens of contractors: while low enterprises average about 50 contractors, for high enterprises the figure skyrockets to more than 130, facilitating another cyber risk deriving from the digital space interdependence — trusted relationship attacks, during which attackers might exploit legitimate connections between organisations.
Trusted relationship attacks
Over the past year, trusted relationship attacks ranked in the top five most common threats, having affected a quarter (25%) of companies globally. Among APAC countries, Singapore stands out as the most targeted market for attacks exploiting trusted relationships, with one in three organisations having experienced such an attack in the past 12 months. Vietnam follows at 27%, while India (23%), Indonesia (22%) and China (15%) also report significant exposure to these increasingly pervasive attacks.
Interestingly, trusted relationship attacks are regarded as among the top few most dangerous cyberthreats by firms in countries like Singapore (37%) and India (35%) – significantly higher than the global average of 26%. However, this heightened level of caution is not shared across other APAC markets like Indonesia (21%), China (21%) or Vietnam (20%) despite the fact that these attacks remain prevalent in these countries. This disparity suggests a dangerous underestimation of the severity or implications of trusted relationship attacks.
Threats underestimated
While supply chain and trusted relationship attacks are among the most common threats, the survey showed many leaders tend to underestimate them. When asked to classify threats by how dangerous they seemed, organisations focused on complex attacks like Advanced Persistent Threats (APTs), ransomware or insider threats, rather than the ones they actually face most often. Only 9% of businesses globally ranked supply chain attacks as their top concern, a strikingly low level of attention given how often these threats disrupt their operations. Similarly, just 8% named trusted relationship attacks.
Furthermore, most experts understand that a supply chain or trusted relationship breach can disrupt operations — more than half of respondents identified this as the key consequence of such attacks — yet few rank these threats as top priorities. This gap shows the risk is acknowledged in theory but not acted on in practice.
At the same time, supply chain attacks are ranked among the top 3 most dangerous cyberthreats much more often than the global average by companies in Singapore (38%), Brazil (36%), Colombia (36%), and Mexico (35%).
“We’re operating in a digital ecosystem where every connection, every supplier, every integration becomes part of our security profile”, comments Sergey Soldatov, Head of Security Operations Center at Kaspersky. “As organisations grow more interconnected, their exposure to attacks grows with them. Against this landscape, protecting the modern enterprise now demands an ecosystem-wide approach that strengthens not just individual systems, but the entire network of relationships that keeps business operating.”
“Across the APAC region, supply chain and trusted relationship risks reveal a landscape of uneven exposure. Markets like Vietnam and China face a broader spectrum of cyberthreats than the global average, which contributes to their heightened concern about supply chain-driven disruptions. On the other hand, countries like Singapore demonstrate elevated caution toward trusted relationship attacks given their higher-than-average exposure to them. However, we have also seen that perceptions of risk are not always commensurate with actual vulnerabilities. This underestimation of risk can significantly hinder adequate cybersecurity investments, leaving organisations even more vulnerable than they were before as threats continue to grow in scale and sophistication,” notes Adrian Hia, Managing Director for Asia Pacific at Kaspersky.
“The deep interconnectivity of APAC’s supply chains signals an urgent need to deploy robust defences across the ecosystem to prevent disruptions that can ripple across industries and borders. Businesses aiming to secure a competitive edge in the region must commit to strengthening their defensive capabilities with the same dedication they apply to driving growth.”
Only by implementing preventive measures across the organisation and approaching partnerships with suppliers and contractors strategically can companies reduce supply chain risks and ensure the resilience of their business.
For mitigating such risks Kaspersky recommends the following:
- Thoroughly evaluate suppliers before entering a deal. Check their cybersecurity policies, information about past incidents and compliance with industry security standards. For software and cloud services, it’s also recommended to review vulnerability data and penetration tests.
- Implement contractual security requirements. Complete regular security audits, and ensure compliance with your organisation’s relevant security policies and incident notification protocols.
- Adopt preventive technological measures. Implement security practices such as the principle of least privilege, zero trust and mature identity management to reduce damage if supplier is compromised.
- Ensure continuous monitoring. Use solutions like XDR or MXDR, which are part of the Kaspersky Next product line, for real-time infrastructure monitoring and detecting anomalies in software and network traffic, depending on the availability of in-house staff members capable of carrying out such a monitoring.
- Develop an incident response plan. Make sure it covers supply chain attacks and includes steps to quickly identify and contain breaches — for example by disconnecting the supplier from company systems.
Collaborate with suppliers on security issues. Strengthen protection on both sides and make it a shared priority.