Half of Indian supply chain firms hit by cyber breaches: report
More than half of Indian suppliers connected to global supply chains have experienced a third-party cybersecurity breach in the past year, according to new research from SecurityScorecard.
The report, entitled Third-Party Cyber Risks to Global Supply Chains: An Assessment of Key Indian Suppliers, surveyed 150 leading Indian companies across ten key sectors, including manufacturing, information technology, pharmaceuticals, and critical infrastructure services. It found that 52.6% of these suppliers suffered at least one breach through their vendor or partner relationships, highlighting significant vulnerabilities in supply chain security.
Of all incidents reported, only 10.7% were made public, suggesting that the true scale of exposure remains largely unacknowledged outside company walls. The research further revealed that cybersecurity performance among Indian suppliers is highly polarised, with 26.7% receiving an "F" rating-the largest such share in any SecurityScorecard dataset to date-while 25.3% scored a top "A" grade.
Sector findings
The information technology (IT) services and aerospace industries achieved the highest average security scores among the sectors analysed, which, according to the report, reflects established cybersecurity practices. However, IT providers accounted for 62% of all reported third-party breaches. Their integral role as service gateways to global enterprise clients exposes them to increased risk, with vulnerabilities potentially cascading through broader networks.
The pharmaceutical and medical device sectors were particularly prominent among publicly reported incidents, accounting for 42.1% of such breaches and 38.5% of all ransomware cases involving Indian suppliers. This concentration of risk raises concerns about vulnerabilities in the international healthcare supply chain and its potential impact on medical services worldwide.
Other sectors, including semiconductors, electronics, and automotive, exhibited higher levels of credential compromise, so-called typosquatting attacks, and malware infections. Typosquatting involves the creation of deceptive domain names resembling legitimate company brands, often used by threat actors to steal credentials or spread malware.
Main risk factors
The most common contributors to low security ratings were network security weaknesses, mismanaged digital certificates, and gaps in patching software vulnerabilities-fundamental IT management tasks that can have outsized effects on organisational risk if neglected.
Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard, commented on the findings, stating,
India is a cornerstone of the global digital economy. Our findings highlight both strong performance and areas where resilience must improve. Supply chain security is now an operational requirement, and SecurityScorecard is providing the visibility and intelligence to help organizations strengthen that resilience together across industries and borders.
The average security scores for Indian companies stood at 73 (mean) and 75 (median) out of a possible 100, both slightly below the global benchmark average of 81. SecurityScorecard notes that such disparities are not unique to India, but reflect wider industry challenges as supplier networks grow more interdependent and complex.
Sherstobitoff added,
This research is part of our ongoing global benchmarking. Every region has its strengths and vulnerabilities. India's role in powering critical industries makes visibility and collaboration even more important.
Recommendations
To address these risks, SecurityScorecard recommends organisations continuously monitor not just direct vendors, but also suppliers further down the chain (fourth parties), for emerging cybersecurity threats. The company also advises prioritising management of digital certificates and keeping software patched as key steps for risk mitigation.
IT and managed service providers warrant particular scrutiny, given their exposure and the frequency of breaches traced to such firms globally. The use of cybersecurity ratings for procurement decisions, ongoing vendor oversight, and broader risk management strategies was also recommended as a practical approach to strengthening supply chain resilience.
In analysing the risks, the research team compiled and evaluated a range of indicators for each of the 150 companies sampled. These included overall security scores, the nature and value of the lowest-ranked security factor, specific issues most negatively impacting ratings, any publicly reported breaches, and relationships that facilitated third- or fourth-party breaches. The researchers also looked at reported malware infections, credential leaks, and instances of suspected typosquatting across supplier networks.
The ten sectors examined were: semiconductors, other electronics, automotive, aerospace and aviation, pharmaceuticals and medical devices, information technology, customer experience and business process outsourcing, textiles, agriculture (including agribusiness and fertilisers), and transportation, shipping, and logistics.
SecurityScorecard conducts regular global benchmarking and provides cybersecurity ratings used by organisations and government agencies to assess third-party risk and manage supply chain security more effectively.
