Kaspersky study finds most companies willing to fund cybersecurity improvements across their supplier networks

Research covering 1,700 business leaders across 16 countries points to a shift in how organisations define the boundaries of their own security perimeter

Sergey Soldatov, Head of the Security Operations Center at Kaspersky

A study published by Kaspersky, a cybersecurity company that provides threat detection, endpoint protection and managed security services to organisations globally, found that 69% of businesses are considering investing in the cybersecurity of their contractors and suppliers. A further 25% have already begun sharing security costs with external partners, a figure that suggests the conversation has moved beyond intention in a significant portion of companies surveyed.

The research was conducted across 1,714 business leaders in 16 countries, ranging from C-level executives to senior specialists at enterprises with more than 500 employees. It was published alongside a broader Kaspersky report on supply chain risk, which found that supply chain attacks affected nearly one in three companies over the past year, while trusted relationship attacks, where an attacker exploits access granted to a legitimate partner, hit roughly a quarter of organisations globally in the same period.

The pattern behind both findings is the same: a company's exposure to attack is shaped not only by its own security posture but by the posture of every contractor or partner with access to its systems. Sergey Soldatov, Head of the Security Operations Center at Kaspersky, described the implication directly: "Today businesses realise that security cannot end at the borders of their own organisation, it must extend across the entire ecosystem. Smaller companies often lack the security capabilities of the enterprises they serve, posing extra risks to the latter. By sharing resources and expertise, larger companies can close this gap, strengthening weak points throughout the entire dependency chain — and become a key driver of global cyber resilience."

The study outlines a set of measures companies can take to reduce exposure through their supplier relationships. These include assessing vendors' security practices and software development processes before entering agreements, incorporating specific security requirements into contracts, such as audit obligations, compliance with internal policies and incident notification protocols, and applying technical controls including least privilege access, zero trust architecture and identity management practices. For software products and cloud services, the report also recommends collecting data on known vulnerabilities and penetration test results, and in some cases conducting dynamic application security testing.