Supply chain cyberattacks are escalating in Mexico, with 43% of firms affected, exposing structural gaps in cybersecurity execution despite national strategies. Manufacturing, government, education, and IT sectors face heightened risk as interconnected supply chains expand attack surfaces.
Supply chain cyberattacks in Mexico reached a critical threshold as 43% of organizations reported incidents in the last 12 months, reveals Kaspersky. These figures place the country above the global average and highlight a significant rise in threats targeting trust-based corporate relationships.
The intensification of these threats responds to the transition from traditional perimeters toward interconnected digital ecosystems where every external integration represents a potential entry vector.
“We are operating in a digital ecosystem where every connection, every supplier, and every integration becomes part of our security profile,” says Claudio Martinelli, General Manager for the Americas, Kaspersky. “As organizations become more interconnected, their exposure to attacks also grows”.
Martinelli says that protecting the modern company requires an approach that covers the entire ecosystem, strengthening not only individual systems, but also the entire network of relationships that keeps businesses running.
National Context
The cybersecurity landscape in Mexico has undergone a quantitative and qualitative transformation between 2024 and 2026. Data from IQSEC indicates that Mexico ascended from 16th place in 2024 to 11th globally in ransomware attempts by the end of 2025. This progression establishes the country as the second most targeted market in Latin America, trailing only Brazil.
According to IQSEC, this increase is directly linked to the maturation of professionalized cybercrime, which has adopted scalable business models such as Ransomware as a Service (RaaS), powered by AI and automation tools.
The relevance of the supply chain as an attack vector resides in the operational structure of large corporations. According to the Global Cybersecurity Outlook 2026, published by the World Economic Forum (WEF), 65% of large companies identify vulnerabilities in suppliers and supply chains as the primary obstacle to achieving cybersecurity resilience.
On average, a large organization manages technical relationships with about 100 suppliers, a figure that can exceed 130 third parties with direct access to internal systems. In contrast, smaller companies typically manage around 50 third-party connections. This technical complexity expands the attack surface, allowing malicious actors to exploit legitimate access to infiltrate and move laterally through corporate networks without detection.
At a regional level, the risk is shared; Brazil and Colombia report a 36% incidence in supply chain attacks. However, Mexico presents a particular exposure due to the convergence of an expanding digital infrastructure and a structural lag in the implementation of response protocols.
Kaspersky’s Supply Chain Reaction report reveals that 31% of companies in Mexico reported attacks specifically exploiting trust-based relationships, placing the country among the most affected nations globally. Despite the frequency of these events, only 9% of companies worldwide identify supply chain attacks as their primary concern, and only 8% mention trust-relationship attacks as a top priority.
Closing Identity Gaps and Integrating Zero-Trust Protocols
The execution of ransomware attacks and supply chain breaches converges at a critical point: identity management. Research conducted by Permiso Security indicates that 76% of cybersecurity professionals reported security incidents involving identity management in the last 12 months. As traditional network perimeters have lost effectiveness, identity — both human and non-human — has become the new perimeter of security.
One emerging risk factor is the proliferation of non-human identities, which represent 44% of all identity types within organizations. These include AI Agents, cloud services, and automation tools that, in most cases, operate with excessive permissions. Technical data indicate that 98% of AI agents have access to sensitive data, yet only 52% of organizations possess the capacity to consistently detect when these systems create or modify permissions.
This lack of visibility is critical, considering that only 46% of security teams have a comprehensive view of all human and non-human identities accessing their IT resources.
The operational efficiency of criminal groups such as Qilin, Kazu, CL0P, and LockBit in the Mexican market is furthered by prolonged response times. Only 18% of security teams in Mexico can confirm an identity-based threat in less than one hour. The majority of organizations, approximately 61%, require between one and 24 hours to determine the blast radius of a breach.
This latency is attributed to the fragmentation of defense tools. Security teams use, on average, between three and 10 separate tools to achieve identity visibility, requiring between 10 and 40 hours per week for the manual correlation of data from different sources.
In sectors of strategic importance for Mexico, such as manufacturing, education, and government, this fragmentation limits the ability to respond to high-sophistication technical groups. Mexico’s government sector showed the highest level of exposure in 2025, followed by educational institutions and information technology companies. This targeting suggests that attackers prioritize entities where service disruption causes maximum pressure for payment.
The trajectory of cybersecurity in Mexico for 2026 will depend on the execution of the 2025–2030 National Cybersecurity Plan. According to Víctor Ruiz, Founder, SILIKN, the central problem in Mexico is not the absence of strategies, but the persistent distance between design and execution.
Although the state has integrated cybersecurity into high-level planning, such as the creation of the Digital Transformation and Telecommunications Agency (ATDT), intrusion volumes exceed the installed capacity of entities like Mexico’s Cyber Incident Response Center (CERT-MX). To mitigate risks associated with third-party interconnectivity, Kaspersky recommends that companies must implement the following strategic measures:
-
Comprehensive Provider Evaluation: Conduct exhaustive reviews of the cybersecurity policies, incident history, and compliance with industry standards of a provider before establishing a commercial relationship.
-
Contractual Security Requirements: Perform periodic security audits and ensure compliance with organizational security protocols and incident notification mandates.
-
Zero-Trust Architecture: Implement a zero-trust model and the principle of least privilege to reduce the impact if a provider is compromised.
-
Continuous Monitoring: Utilize solutions such as XDR or MXDR to monitor infrastructure in real time and detect anomalies in software and network traffic.
-
Incident Response Planning: Develop plans that specifically include scenarios for supply chain attacks and steps to quickly disconnect a compromised provider.
