2 min

Roughly 96 percent of Benelux-based organisations fell victim to a cyberattack due to a supply chain vulnerability.

Security specialist BlueVoyant surveyed over a thousand IT leaders on the state of supply chain security in their organisation. Today, the results were shared.

In the Benelux, almost every organisation (96 percent) witnessed how a vulnerability in the supply chain led to a cyberattack. Almost half of the victims were hit by two to five attacks in the past year.

Supply chain attacks

The figures shouldn’t come as a surprise. Not a month goes by without a public reminder of the damage caused by vulnerable supply chains.

Last week, eight Dutch housing corporations fell victim after a breach of their IT service provider. In January, crime group Lapsus$ caused a data leak at Okta following a break-in at a partner’s office.

It may be a clich√©, but a chain is only as strong as its weakest link. The strength of a corporate network doesn’t matter when the threat enters through a trusted customer, partner or app.


About 60 percent of organizations say supply chain vulnerabilities are on their radar. Worldwide, that’s 70 percent of organizations. The Benelux is lagging behind.

The difference has several reasons. Awareness plays a possible role. As mentioned earlier, most organisations come into contact with a supply chain attack. Yet, the largest of incidents pass by the Benelux.

When SolarWinds was hit in 2020, attackers spread to thousands of organisations and hundreds of government networks. Benelux-based companies fell victim as well, but the United States took the biggest hit.

We’re missing the mark

In addition, BlueVoyant states that investments in supply chain security lack strategic focus. Only 9 percent of organisations check external suppliers for security risks, also known as vendor risk management. Of those organizations, a more 31 percent checks their suppliers more than once every three months.

Though budgets for vendor risk management are rising, most miss the mark. “Many organisations are struggling to make the best use of security budgets”, shares Richard Wolters, Director of European Marketing at BlueVoyant.

“It’s positive that companies in the Benelux are investing in vendor risk management, but the extent of their effectiveness remains unclear. Short term change is important to reduce the risk of cyber incidents.”

Tip: Ransomware is an APT, that’s how you should treat it