While procurement and supply chain leaders excel at negotiating contracts and optimizing costs, a critical risk often goes untracked in modern enterprise operations: Who actually has access to your organization's data, and what happens when that access is unmanaged?

Kiteworks' 2025 Data Security and Compliance Risk: Annual Survey Report highlights a stark reality: nearly half of organizations operate without basic visibility into their security posture. While IT and security teams invest heavily in defenses, these investments often protect against threats that leadership doesn't even know exist. The consequences: breaches, compliance failures, operational disruption and multimillion-dollar losses.

For supply chain and procurement leaders, the report reveals an urgent call to action: Visibility into third-party relationships has become a business-critical requirement.

Among the report's most striking findings centers on the number of third parties an organization manages. Companies that maintain between 1,001 and 5,000 third-party relationships face the worst outcomes. At this scale, they have outgrown manual tracking methods such as spreadsheets, but often have yet to invest in enterprise-grade automation. This creates a "danger zone," in which complexity exceeds human capability, and breaches become far more likely.

The numbers paint a sobering picture. Organizations in this danger zone report a 46% increase in supply chain risks, the highest of any segment. Their risk score averages 5.19, compared to just 3.72 for organizations with fewer than 500 partners. Even more concerning, 24% of danger-zone organizations experience seven or more breaches annually, with 26% facing potential litigation costs of $3 million to $5 million per incident —not including lost revenue, fines or reputational damage.

Procurement teams are directly implicated here. Each third party added to a supply chain brings not only commercial and operational responsibilities, but also access to sensitive systems, data and intellectual property. Without a single source of truth for tracking these relationships, organizations expose themselves to cascading risks. Unknown partners can introduce vulnerabilities, and when breaches occur, detection is delayed because nobody had visibility in the first place.

The Cascade Effect

Kiteworks' research identifies a powerful "cascade effect," in which one visibility gap predicts others with remarkable accuracy. The correlations are striking:

• 46% of organizations don't know their actual breach frequency,
• 42% are uncertain about their detection times,
• 32% don't conduct regular security audits, and
• 48% who don't know breach frequency also can't quantify litigation costs.

For supply chain professionals, this underscores the interconnected nature of operational risk. A third party that is improperly managed isn’t just a contractual or logistical problem; it's a potential conduit for cybersecurity threats that ripple across the enterprise.

Detection times tell the story: 44% of organizations with between 1,001 and 5,000 third parties take 31 to 90 days to detect breaches, while 31% of those with more than 5,000 partners require more than 90 days. By the time breaches are detected, the damage is already done.

The Hidden Cost Multiplier

Beyond the obvious security implications, poor visibility creates a staggering financial burden that most organizations never fully quantify. The report reveals that for every $1 spent on visible compliance activities, organizations incur $2.33 in hidden costs — including opportunity costs, audit fatigue and inefficient resource allocation.

This hidden cost multiplier explains why teams spend 1,000 to 1,500 hours annually on compliance reporting without knowing whether these efforts are effective. It's not just wasted time; it's strategic opportunity lost. Organizations with comprehensive governance achieve a 3.5x cost visibility advantage, tracking 75% of their security costs compared to just 35% for those without proper oversight.

The financial implications extend further:

• Breach frequency escalation. Zero breaches for 34% of organizations with fewer than 500 partners versus 24% experiencing 10+ breaches for those with over 5,000 partners
• Universal risk increases. Even organizations with fewer than 500 partners show 30% supply chain risk increases
• Contractual limitations. 25% rely solely on legal agreements that may not withstand regulatory scrutiny
• Proactive savings. Organizations prepared for compliance changes save 60% on implementation costs

Why Traditional Vendor Oversight Fails

Many organizations rely on spreadsheets or siloed databases to track vendor relationships. While this may work for those exchanging private data with a handful of third parties, it collapses under the weight of modern supply chains , which can include thousands of partners, subcontractors and cloud-based providers. The report found that security teams often discover breaches not through monitoring systems but through customer complaints or regulatory alerts, highlighting the inefficiency and danger of relying on manual methods.

The industry median risk score of 4.84 sits dangerously close to high-risk territory, with 15% of organizations operating at critical risk levels (7.0–10.0) requiring immediate intervention. These aren't abstract numbers — they represent real vulnerabilities that procurement teams must address.

Procurement teams need to ask tough questions:

• How many third parties currently have access to our critical data systems?
• Which subcontractors do they work with, and are those relationships monitored?
• How quickly can we detect unauthorized access across this ecosystem?
• What's our actual risk score, and how does it compare to industry benchmarks?

Without answers, organizations are effectively "flying blind," and the cost of this ignorance can be measured in millions.

The Role of AI and Automation

Another challenge is the ungoverned adoption of artificial intelligence tools across departments. Only 17% of organizations have implemented AI governance frameworks, yet AI-generated content increasingly flows through vendor and partner networks. Untracked AI tools can introduce intellectual property risks, privacy exposures and compliance violations.

Procurement teams can help mitigate these risks by requiring centralized reporting on vendor tools and services, automated dashboards for continuous monitoring, and clear contractual obligations regarding AI usage. When combined with automated vendor tracking systems, these practices ensure that organizations know exactly who touches sensitive data and how it is being processed.

The report highlights that organizations achieving strong visibility share several characteristics:

• Continuous measurement. Automated systems replace periodic manual reviews, giving procurement teams real-time insight into third-party access and activity;
• Single source of truth. Data about vendors, subcontractors, AI usage and breach history is consolidated, eliminating siloed blind spots;
• Actionable approximation. Even approximate counts are better than no data —organizations tracking "approximately 3,000 vendors" are far less vulnerable than those with no idea at all, and
• Foundation before sophistication. Basic vendor tracking, breach history and compliance metrics must be established before layering on advanced analytics

For procurement leaders, these principles translate directly into better contract management, risk mitigation and cost savings. Knowing your vendor count allows for more informed negotiations, targeted risk assessments, and streamlined compliance reporting.

Privacy Dividend: Unexpected Returns

Perhaps most compelling for supply chain leaders is the "privacy dividend" that mature organizations achieve. Companies with comprehensive privacy programs report:

• 27% reduced security losses,
• 21% enhanced customer loyalty, and
• 21% improved operational efficiency.

This isn't just about avoiding losses — it's about competitive advantage. Organizations with strong visibility detect breaches 67% faster and achieve 81% cost reduction through privacy-enhancing technologies. Far more than marginal improvements, these amount to transformative business outcomes.

The report offers a compelling ROI for investing in vendor visibility that goes beyond traditional security metrics. Supply chains that prioritize visibility operate more efficiently, innovate faster and avoid preventable losses. The financial case is clear:

• 3.5x better cost tracking for organizations with comprehensive governance;
• 60% savings on compliance implementation for prepared organizations;
• $2.33 in hidden costs eliminated for every visible dollar spent, and
• 46% lower supply chain risk for organizations outside the danger zone.

Visibility Pays Dividends

Blindness in your supply chain is costly and preventable. The Kiteworks report shows that unknown third parties, ungoverned AI and delayed breach detection multiply enterprise risk in ways that procurement teams can no longer ignore.

For procurement and supply chain leaders, the mandate is straightforward: Track third-party relationships rigorously, implement automated monitoring, consolidate visibility across the enterprise, and integrate security metrics into procurement strategy. The cost of ignoring these risks extends far beyond the obvious, and the benefit of achieving visibility is equally substantial, in the form of reduced risk, improved efficiency, and a resilient and agile supply chain.

The business case writes itself. In today's interconnected supply chain, visibility isn’t optional. Organizations that see clearly thrive; those that fly blind pay the price.

Frank Balonis is chief information security officer and senior vice president of operations and support at Kiteworks.