A new report highlights how inadequate visibility into third-party access and AI governance amidst complex supply chains exposes organisations to mounting cybersecurity threats, operational disruptions, and significant financial losses, urging a shift towards automated, centralised monitoring systems.
In today’s interconnected and complex supply chains, the imperatives of cost optimisation and contract negotiation are clear, yet a critical blind spot persists for proc...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
The report paints a sobering picture of current enterprise vulnerabilities. Nearly half of organisations surveyed lack even basic visibility into their security posture, leaving them vulnerable to breaches that often go undetected until customer complaints or regulatory alarms sound. This lack of visibility is especially pronounced among companies managing between 1,001 and 5,000 third-party vendors—a range dubbed the “danger zone.” At this scale, manual tracking systems such as spreadsheets prove inadequate, and yet many organisations have not invested in enterprise-grade automation. Consequently, these companies report a 46% increase in supply chain risks and have an average risk score of 5.19, significantly higher than the 3.72 risk score of organisations with fewer than 500 partners. Alarmingly, 24% of those in this danger zone experience seven or more breaches annually, and 26% face potential litigation costs ranging from $3 million to $5 million per incident, not counting indirect costs such as lost revenue and reputational damage.
Procurement teams are at the crux of this challenge because every third party onboarded introduces additional points of access to sensitive systems and intellectual property. Without a consolidated “single source of truth” for tracking these relationships, organisations are at risk of unknown partners creating vulnerabilities that go unnoticed, thereby delaying breach detection. On detection times, the report highlights that 44% of organisations managing 1,001 to 5,000 third parties take between 31 to 90 days to identify breaches, while 31% of organisations with over 5,000 partners take more than 90 days—by which time the damage is often irreversible.
This phenomenon creates a “cascade effect,” where one visibility gap breeds others. Kiteworks’ data shows that 46% of companies do not even know how often breaches occur within their networks, while 42% cannot reliably quantify the time taken to detect incidents. Moreover, 32% forgo regular security audits, and there is a strong overlap between these shortcomings—including nearly half of organisations that cannot estimate litigation costs due to visibility lapses.
The financial implications extend beyond direct breach costs. The report introduces a “hidden cost multiplier,” where every dollar spent on visible compliance activities corresponds to $2.33 in hidden costs—stemming from opportunity costs, audit fatigue, and inefficient resource allocation. While compliance teams may spend up to 1,500 hours annually on reporting, effectiveness is questionable without proper oversight. Conversely, organisations with comprehensive governance frameworks achieve 3.5 times greater cost visibility, tracking 75% of security expenses versus only 35% for those without. This reinforces the economic benefit of visibility, which also translates to 60% savings on compliance implementation when companies are prepared for regulatory changes.
The systemic risks extend even to companies with fewer than 500 partners, which still report a 30% increase in supply chain risk, underscoring the ubiquity of the challenge. Furthermore, a quarter of organisations rely solely on legal agreements to govern third-party access—agreements that may fall short under increasingly stringent regulatory scrutiny. The report stresses the urgent need for procurement teams to rigorously track and monitor these relationships, identifying not just vendor counts but subcontractor partnerships and unapproved third-party access.
Adding another layer of complexity is the rising use of artificial intelligence tools across vendor ecosystems. Only 17% of organisations have established AI governance frameworks, despite the proliferation of AI-generated content traversing supply chains. Unmonitored AI tools amplify risks in intellectual property protection, privacy, and compliance, necessitating centralised reporting, contractual controls, and automated monitoring to safeguard sensitive data effectively.
To address these gaps, the report advises that organisations adopt automated, continuous measurement of vendor activities rather than relying on periodic manual audits. Centralising data into a single repository consolidates visibility, eliminating dangerous blind spots inherent in siloed databases. Even approximate vendor counts are preferable to complete uncertainty, as tracking “roughly 3,000 vendors” places a company in a stronger defensive posture than having no data. Establishing core tracking processes for vendor relationships, breach history, and compliance is a vital foundation before layering advanced analytics or AI-driven insights.
The benefits of such vigilance transcend mere risk reduction, delivering what Kiteworks terms the “privacy dividend.” Organisations with mature privacy programmes report a 27% reduction in security losses, 21% improvements in customer loyalty, and similar gains in operational efficiency. Rapid breach detection improves by 67%, with organisations also realising an 81% cost reduction through privacy-enhancing technologies. These transform security from a compliance burden into a competitive advantage.
This data aligns with wider industry insights, such as reports from MBT Magazine and TechBullion, which highlight the vulnerability of supply chains lacking centralised governance and automation—particularly in sectors like energy, utilities, and defence contracting, where regulatory demands like the Cybersecurity Maturity Model Certification (CMMC) 2.0 mandate robust end-to-end encryption and comprehensive governance.
As Google’s 2024 Zero-Day Exploitation Analysis Report indicates, zero-day vulnerabilities increasingly target enterprise data exchange platforms, reinforcing the criticality of security-centred vendor selection and continuous risk monitoring.
In summary, procurement and supply chain leaders must confront a non-negotiable reality: operating “blind” to who accesses organisational data within complex vendor ecosystems is financially and operationally perilous. Investing in automated, centralised visibility offers measurable returns—reducing supply chain risk by 46%, slashing compliance costs by 60%, and cutting hidden expenses by more than double the visible spend. The path forward is clear: integrate vendor visibility into procurement strategies, enforce stringent AI governance, and prioritise continuous security monitoring. Those that do will not only mitigate avoidable losses but also foster resilient, efficient, and innovation-ready supply chains fit for the challenges of today and tomorrow.
Frank Balonis, chief information security officer and senior vice president of operations and support at Kiteworks, underscores that the cost of ignoring these risks “can be measured in millions.” The business case for visibility has never been more compelling for enterprises eager to thrive rather than merely survive in an increasingly volatile and exposed supply chain landscape.
Source: Noah Wire Services
Subscribe to Industry Updates
