Survey on the Actual State of Supply Chain Security Evaluation Systems

~The gap between required security levels and the current situation is highlighted~

Over 80% have experienced security certification requests from business partners. While only 19.4% have an accurate understanding of their IT assets, 81.3% intend to increase investment.
SmartHR Co., Ltd. (Headquarters: Minato-ku, Tokyo; CEO: Masato Serizawa) conducted a “Survey on the Actual State of Supply Chain Security Evaluation Systems” targeting 222 individuals involved in their company’s IT assets and security measures at companies with 100 or more employees.

Survey Summary

Background

In recent years, with the increasing sophistication of cyberattacks and the rise of attacks targeting the entire supply chain, there is a growing demand for strengthened security measures that include not only individual companies but also their business partners. In response to this trend, the Ministry of Economy, Trade and Industry plans to launch the “Security Measures Evaluation System for Strengthening Supply Chains (SCS Evaluation System)” by the end of fiscal year 2026, and companies are expected to be required to guarantee more objective security levels than ever before.

*1 | Ministry of Economy, Trade and Industry | “Supply Chain Security Evaluation System” “Policy on the Establishment of a System for Evaluating Security Measures to Strengthen the Security Chain” | https://www.meti.go.jp/press/2025/03/20260327001/20260327001.html

On the other hand, in practical business settings, there is already an increasing demand from business partners for proof and reports regarding security measures, which may be becoming a burden for some companies. Furthermore, while the widespread adoption of convenient SaaS has broadened the usage scenarios for IT assets and accounts, it has also highlighted the urgent need to create systems for centrally monitoring and controlling them.

Based on this background, this survey was conducted with the aim of clarifying the current state and challenges of supply chain security measures in companies, as well as their future intentions.

Results Summary

Over 80% of IT asset and security personnel have experienced being asked for security certifications/reports by business partners.

Only 19.4% have a complete and accurate understanding of all SaaS and IT tools.

While “insufficient budget” was the most common reason for insufficient security measures (49.2%), 81.3% plan to “increase” investment based on the SCS evaluation system.

Overview of the Survey

• Survey Name: Survey on the Actual Status of Supply Chain Security Evaluation Systems
• Survey Method: Internet Survey
• Survey Period: April 15-16, 2026
• Valid Responses: 222 individuals involved in their company’s IT assets and security measures at companies with 100 or more employees.

*2 | Percentages are rounded to two decimal places (may not add up to 100%)

Survey Results (Partial Excerpt)

(1) Over 80% of respondents have been asked for security certification by business partners

When asked if they had ever been asked by business partners to provide proof or a report on their company’s security measures, 15.3% answered “frequently,” and 33.3% answered “several times.” Including the 36.5% who answered “only once,” it was revealed that 85.1% of respondents had received such a request.

• Frequently requested: 15.3%
• Requested several times: 33.3%
• Requested only once: 36.5%
• Never requested: 12.6%
• Don’t know/Cannot answer: 2.3%

(2) Understanding SaaS and IT Tools: Only 19.4% “Accurately Understand All”

A survey on the level of understanding of SaaS (cloud services) and IT tools used within their companies revealed that only 19.4% responded that they “have a centralized and accurate understanding of all services, accounts, and users.” On the other hand, 32.9% responded that “they understand the services they use, but not the number of accounts or users.” This reveals that while companies recognize the existence of the tools, they are not keeping up with managing (inventorying) their actual usage.

• 19.4% are able to accurately track all services, accounts, and users in a centralized manner.
• 32.9% are aware of the services being used, but not the number of accounts or users.
• 42.3% are able to accurately track some services, but not the whole picture.
• 4.5% are unable to track most services.
• 50% are unable to answer/don’t know.

(3) Deleting Employee Accounts: 32.0% Respond to “More Than One Month,” and Some Companies Lack Rules

When asked how long it takes to delete or disable SaaS accounts of employees who have left the company, 32.0% responded that it “sometimes takes more than one month.” Additionally, 7.2% responded that “rules for deletion/disabling are not established.” In total, 39.2% of respondents indicated that account processing after employee departure is not completed immediately, or that operational rules are not in place.

• No established rules for deletion/invalidation: 7.2%
• May take more than one month: 32.0%
• Within one month: 36.5%
• Within one week: 15.8%
• Immediately (on the day of resignation): 6.3%
• Don’t know/cannot answer: 2.3%

(4) Reasons for insufficient security measures: “Insufficient budget” was the top reason at 49.2%, followed by “Lack of dedicated personnel” at 47.6%.

When those who reported that their company’s security measures were insufficient were asked for the reasons, the most common response was “We haven’t secured the necessary budget for security measures” at 49.2%. This was followed by “We lack dedicated security personnel or staff” at 47.6%, and “We don’t know where to start” at 39.7%.

• Insufficient budget for necessary countermeasures: 49.2%
• Lack of dedicated security personnel or staff: 47.6%
• Unsure where to begin: 39.7%
• Gap in security awareness between management and staff: 33.3%
• Lack of overall understanding of IT assets and accounts used by the company: 23.8%
• Lack of coordination between the IT department and other departments (HR, general affairs, etc.): 19.0%
• Existing systems and tools are outdated: 14.3%
• Not fully utilizing external expertise and support: 12.7%
• Other: 0.0%
• Don’t know/Cannot answer: 0.0%

(5) 81.3% of those aware of the SCS evaluation system plan to “increase” security investment in light of the system’s launch.

When asked about their plans to review security investment in conjunction with the launch of the SCS evaluation system, among those aware of the system, 13.1% responded that they “plan to significantly increase” investment, and 68.2% responded that they “plan to slightly increase” investment.

• Plan to significantly increase: 13.1%
• Plan to slightly increase: 68.2%
• Plan to maintain current levels: 16.2%
• Plan to decrease: 1.0%
• Don’t know/Cannot answer: 1.5%

Comment by Hiroya Sasaki, IT Systems Product Unit, Product Marketing Division, SmartHR

This survey reveals that requests for proof and reports on security measures from business partners are already widespread, indicating a shift from a “required” to a “prerequisite” for security measures across the entire supply chain.

On the other hand, less than 20% of companies responded that they “accurately understand all” the SaaS, IT tools, and account information they use, and it became clear that dealing with accounts of former employees is also time-consuming. The gap between increasing external demands and inadequate internal management systems appears to be a common challenge for many companies.

Furthermore, over 80% of companies plan to increase investment in security measures, indicating a strong awareness of the challenges faced by many companies, but also suggesting they are struggling to determine where to begin.

It is likely that a key approach going forward will be to start with foundational measures such as inventorying and visualizing one’s own IT assets and accounts, and then implement security measures in a way that can be easily integrated into daily operations.