Gartner's 2025 Supply Chain Prediction: A Retrospective Look at What Actually Happened

Shak

6 min read
Gartner's 2025 Supply Chain Prediction: A Retrospective Look at What Actually Happened
Supply Chain Attack Predictions - Photo by Алекс Арцибашев / Unsplash

In 2021, Gartner made a bold prediction: by 2025, 45% of organizations worldwide would experience attacks on their software supply chains. That's a three-fold increase from 2021 levels. Now, as we approach the end of 2025, the data reveals some interesting insights: Gartner's forecast was conservative. A 2024 BlackBerry survey revealed that 75% of organizations have already experienced a software supply chain attack within the last year. Far exceeding the prediction.

Third-party breaches now account for 30% of all data breaches, a 100% increase from previous levels (Verizon DBIR 2025). Supply chain attacks doubled beginning in April 2025, with incidents averaging 26 per month. This is twice the rate seen from early 2024 through March (Cyble). When we look at the financial impact the average cost of a supply chain breach hit $4.91 million globally, with U.S. organizations facing costs of $10.22 million per incident (IBM Cost of a Data Breach Report 2025).

The Prediction vs. Reality

When Gartner issued their 2025 forecast in 2021, software supply chain attacks were already escalating rapidly. Remember that SolarWinds had just dominated headlines, Log4j was exposing fundamental vulnerabilities in open-source infrastructure, and ransomware groups were beginning to realize the leverage that third-party access provided, interesting right ? This was a lethal attack vector that adversaries would only double down on in time.

What Gartner Got Right:

  • The trajectory was correct: supply chain attacks have indeed tripled from 2021 levels
  • The strategic risk was accurately identified: attackers are systematically targeting upstream dependencies
  • The cost implications were validated: IBM's 2025 report confirms supply chain breaches cost 17 times more to remediate than direct attacks

What Gartner Underestimated:

  • The speed of adoption by threat actors across all skill levels
  • The pervasiveness of the problem: 75% vs. the predicted 45%
  • The doubling of attack frequency in just five months (April-September 2025)

Between 2021 and 2023, supply chain attacks surged by 431% (Cowbell Cyber), with projections indicating continued dramatic rises through 2025. The most recent data from Cyble shows that reported supply chain incidents nearly doubled from an average of 13 attacks per month (February-September 2024) to 25 attacks per month in the April-May 2025 period.

Why the Reality Exceeded the Forecast

Several factors contributed to supply chain attacks becoming even more prevalent than Gartner anticipated:

1. Open Source Became the Primary Attack Vector

Modern applications are built on a foundation of open-source software, and attackers have systematically exploited this dependency. Sonatype's 2024 State of the Software Supply Chain report documented 512,847 malicious packages in just one year. A 156% year-over-year increase. ReversingLabs found that malicious threats in open-source repositories grew by an astonishing 1,300% between 2020 and 2023.

2. Cloud Acceleration Created New Attack Surfaces

The rapid shift to cloud infrastructure and remote work exponentially increased the use of third-party applications. The average organization now uses 112 SaaS applications (BetterCloud 2024), and each software application has approximately 150 dependencies, 90% of which are indirect dependencies that create hidden vulnerabilities.

3. Attackers Industrialized Their Operations

What began as sophisticated nation-state tactics quickly became commoditized. Ransomware groups like SafePay and Arkana now routinely target technology and supply chain services providers, knowing that a single breach can cascade across thousands of downstream customers. The Arkana ransomware group claimed their attack on a U.S.-based EDA/semiconductor company affected 41,000 downstream companies and customers (Cyble).

4. The "Shadow IT" Problem Remained Unsolved

Despite years of warnings, organizations failed to adequately address shadow IT and unsanctioned software usage. Employees continued adopting unvetted SaaS solutions, creating invisible attack surfaces that security teams couldn't monitor or protect. The result: trusted third-party access became the path of least resistance for attackers. I would add that covid was also a contributing factor to the accelerated adoption of SaaS based models as users shifted to remote working.

Note that supply chain attacks can come in many forms beyond just software dependencies and can include services, systems and identities and its important to audit every aspect of those relationships.

The Geographic and Sectoral Impact

Supply chain attacks in 2025 have been indiscriminate. Cyble's data shows attacks hit 22 of the 24 sectors tracked in just the first five months of 2025. Only Mining and Real Estate was not on the radar.

Geographically, the United States was targeted in 31 of 79 documented incidents in early 2025. European countries experienced 27 incidents, with France leading. APAC countries faced 26 incidents, with India (9) and Taiwan (4) most affected. The Middle East and Africa saw 10 incidents, including four each in the UAE and Israel.

IT and IT services companies have been disproportionately targeted because they represent a rich target with significant downstream reach. A suspected ransomware attack on a Swedish HR software provider (Miljödata) impacted approximately 200 Swedish municipalities, along with multiple regional administrations, universities, and corporations. Demonstrating the cascading nature of modern supply chain compromises.

What Organizations Got Wrong (And What They Should Do Now)

Despite clear warnings from Gartner and other analysts, only 1 in 3 organizations feel prepared to protect themselves from software supply chain threats (Ivanti 2025 State of Cybersecurity Report). This preparedness gap explains why the actual impact exceeded predictions.

Critical Failures:

  • Visibility Gaps: Organizations lacked comprehensive inventories of their software dependencies, making it impossible to assess exposure when vulnerabilities emerged
  • Procurement Blind Spots: Security assessments were not performed as part of vendor risk management or procurement activities
  • Response Capacity: Security teams struggled to respond to vulnerabilities in software dependencies, requiring extraordinary work to identify affected systems
  • Trust Without Verification: The supply chain remained a "trusted" zone exempt from the zero-trust architectures applied elsewhere

What Actually Works:

The organizations that fared better shared common characteristics:

  • Software Bill of Materials (SBOM) implementation for dependency visibility
  • Zero Trust extended to the entire supply chain, not just internal assets
  • Continuous monitoring with SIEM, DLP tools, and anomaly detection
  • Vendor risk management with security requirements codified in contracts
  • CI/CD pipeline security with build pipeline protection and integrity checks

The Path Forward

As we close out 2025, the data validates that supply chain attacks have become the dominant threat vector in cybersecurity. Cybersecurity Ventures predicts that global costs will reach $138 billion by 2031, up from $60 billion in 2025, based on a 15% annual growth rate.

The question is no longer whether organizations will face supply chain attacks. The BlackBerry data suggests most already have, but whether they've built the resilience to detect, respond, and recover when those attacks occur.

Gartner's prediction wasn't wrong; it was simply overtaken by a threat landscape that evolved faster than even the analysts anticipated. The retrospective lesson isn't about forecasting accuracy. It's about recognizing that when sophisticated analysts issue warnings about emerging threats, the reality often exceeds even their most concerning projections.

For security leaders, the message is clear: if you haven't prioritized software supply chain security already then its time to change that. And if the trend continues, 2026 will make 2025 look modest by comparison.

Key Takeaways

  • Gartner's 2025 prediction of 45% was exceeded, with 75% of organizations already experiencing attacks by 2024
  • Third-party breaches doubled to 30% of all breaches, with costs averaging $4.91M ($10.22M in the U.S.)
  • Supply chain attacks doubled in frequency from April-September 2025, averaging 26 incidents per month
  • 22 of 24 industry sectors were hit in early 2025, demonstrating the universal nature of the threat
  • Only 1 in 3 organizations feel prepared, explaining why reality exceeded predictions

References:

  • Gartner (2021). "Supply Chain Attack Predictions." Forecast that 45% of organizations worldwide will experience software supply chain attacks by 2025, representing a three-fold increase from 2021.
  • BlackBerry (2024). "Software Supply Chain Security Survey." Survey revealing that 75% of organizations experienced a software supply chain attack within the last year.
  • Verizon (2025). "Data Breach Investigations Report (DBIR)." Analysis showing third-party breaches doubled to 30% of all data breaches, representing a 100% increase from 15% previously reported.
  • IBM (2025). "Cost of a Data Breach Report." Global analysis showing average supply chain breach costs of $4.91 million globally and $10.22 million in the United States.
  • Cyble (2025). "Supply Chain Attack Trend Analysis." Research documenting that supply chain attacks doubled beginning in April 2025, averaging 26 incidents per month compared to 13 per month in the prior period.
  • Cowbell Cyber (2025). "Cyber Risk Report." Analysis showing 431% surge in supply chain attacks between 2021-2023.
  • Sonatype (2024). "State of the Software Supply Chain Report." Documentation of 512,847 malicious packages discovered in one year, representing a 156% year-over-year increase.
  • ReversingLabs (2024). "Supply Chain Security Analysis." Research showing 1,300% increase in malicious threats in open-source repositories between 2020-2023.
  • Ivanti (2025). "State of Cybersecurity Report." Survey revealing that only 1 in 3 organizations feel prepared to protect themselves from software supply chain threats.
  • BetterCloud (2024). "SaaS Application Usage Report." Analysis showing organizations use an average of 112 SaaS applications.
  • Cybersecurity Ventures (2024). "Supply Chain Attack Cost Projections." Forecast of $138 billion global cost by 2031, up from $60 billion in 2025, based on 15% annual growth rate.

Read more