Fragile links: Why supply chain security cannot be ignored

When Jaguar Land Rover’s production line ground to a halt at the end of August, the culprit wasn’t a shortage of parts. It was down to a cyber-breach. Just three weeks later, airports across Europe faced chaos after attackers compromised Collins Aerospace’s MUSE software.

 

2025 has seen household brands make headline after headline after falling victim to cyber-attacks. From M&S to the Co-op and Harrods, it’s a year in which we’ve seen how connected, and vulnerable, UK companies have become. However, the warning signs have been there for a while.

 

Back in 2021, Gartner predicted that 45% of organisations globally will have experienced attacks on their software supply chains by 2025. Such figures are alarming, but if anything, we’re now seeing that this estimate was even on the conservative side.

 

Figures from IO’s latest State of Information Security Report show that 61% of businesses have suffered a supply chain breach in the last year alone, with almost a third having faced operational disruption or financial loss. In turn, six in 10 cyber-security leaders are now of the view that security risks originating from third parties and supply chain partners have become “innumerable and unmanageable”.

 

 

Threat actors know small vendors can open big doors

Business resilience has become a real national concern. Modern organisations now depend on a mix of connected technologies, platforms and tools for critical business functions and processes, with sensitive data and information flowing through a maze of third party provides such as cloud providers and data aggregators.

 

These immensely complicated digital footprints have become commonplace, with a host of vulnerabilities and potential failure points. The attack surface is wider than ever before, and nefarious actors know it, actively working to exploit weak links in the chain.

 

The cyber-attack on retailer Mango stands as a prime example. In October, the company disclosed that customers data was stolen from one of its external marketing third-party suppliers. Why didn’t the attackers go after Mango itself? In many cases, threat actors are using smaller suppliers as soft entry points to larger targets. While they might not be the ultimate prize, smaller companies typically have less resources and so are seen as the easier route in when exploiting larger organisations.

 

Statistics from IO’s survey reflect that. Of those cyber-security leaders within SMEs with up to 49 employees, 28% reported supply chain disruption or cascading partner issues following a customer data breach, compared with 21% of large enterprises. Such figures suggest that small companies are less able to contain the fallout of third-party incidents due to more limited resources, smaller security teams, and fewer formal risk processes.

 

 

Overconfidence is leaving businesses exposed

For cyber-criminals, it’s a proven avenue of attack through which larger companies can be impacted. For companies, meanwhile, there is currently false confidence in their ability to combat these threats.

 

IO’s survey shows that as many as 97% of cyber-security leaders are confident in their breach response – a figure that’s in direct contrast with the fact that 61% suffered a third-party or supply chain attack in the past 12 months.

 

The disparity may, at least in part, be due to an underestimation of supply chain threats. Only 23% of respondents ranked supply chain compromise among their top emerging threats, placing it below AI misuse, misinformation and phishing.

 

Knowing the turmoil that supply chain attacks can cause, this is surprising. Among those who suffered a third-party or supply chain attack, 38% faced customer, employee or partner data breaches, 35% suffered financial losses or unplanned costs, and 33% were subject to temporary system outage or operational disruption.

 

 

Three steps to protect against supply chain attacks

The Government is working with security services and MI5 to prioritise the supply chain threat in the wake of what has become a rising tide of attacks. However, this research highlights that many businesses aren’t fully prepared for the next major supply chain shock.

 

Given the potential impacts, that needs to change. Fortunately, 80% of organisations have already enhanced their third-party and vendor risk management practices during the last 12 months, with an additional 17% planning to do the same in the coming year.

 

Where should that funding be funnelled to? Three key priorities stand out:

 

#1 – More robust partnership agreements
Security needs to be made a priority in contractual agreements from the outset. Outlining expectations and defining requirements and responsibilities will help to ensure accountability.

 

#2 – Stronger vetting processes
Just because a third party upheld security best practices in initial assessments does not mean that it’s safe to assume they will continue to do. To validate ongoing effectiveness, it’s wise to regularly audit suppliers. In doing so, a better understanding of the specific risk profiles of each partner can be assessed.

 

#3 – Enhanced information security measures
It’s also important to ensure you are leveraging best practices before asking suppliers to meet specific requirements. Therefore, it’s worth reviewing internal practices on a regular basis through routine security audits and incident response plan testing.

 

For those looking to implement these measures, tapping into proven frameworks like the Cyber Essentials and ISO 27001 can be a logical place to start. Alternatively, working with a qualified cyber-security partner can make for a seamless, straightforward process.

 

Either way, it is vital that the third-party risks are taken more seriously and the right mitigations are put in place. The recent flurry of attacks on UK firms has highlighted the extent of the threat. Companies must now ensure they respond.  

 

---

 

Chris Newton-Smith is CEO of IO

 

Main image courtesy of iStockPhoto.com and chabybucko