Why supply chain resilience is under the spotlight
As attackers continue to target third party suppliers, what can firms do to boost resilience?
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
You are now subscribed
Your newsletter sign-up was successful
Supply chains are still seen as an easy entry point for attackers. Last year, Verizon’s Data Breach Investigations report revealed 30% of breaches were linked to third-party involvement. The figure is twice as high as the previous year, driven in part by vulnerability exploitation and business interruptions.
Another survey by SecurityScorecard found more than 70% of organizations experienced at least one material third-party cybersecurity incident in the past year, with 5% suffering 10 or more.
The last year has seen numerous high-profile breaches of third parties, including the recent attack on NHS supplier DXS International. The now infamous Marks & Spencer breach in May 2025 was also traced back to a social engineering attack on a third party contractor.
These incidents come as regulations such as the UK Cyber Security and Resilience Bill and EU’s Cyber Resilience Act (CRA) mandate resilience across the supply chain.
As attackers continue to focus on third-party suppliers, what can firms do to boost resilience and comply with regulation?
Attractive targets
Suppliers are attractive targets because they provide “a shortcut into larger organizations”, says Nathan Davies-Webb, principal consultant at Acumen Cyber. “Suppliers can have trusted access to systems, data and networks, but may not have the same level of security maturity as their customers.”
This leads adversaries to focus on the weakest link in the chain. Supplier access is often “over privileged, poorly monitored or not regularly reviewed”, allowing attackers to “move quickly and remain undetected once inside”, says Davies-Webb.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Cyber criminals often view suppliers as “the path of least resistance”, agrees Richard LaTulip, field chief information security officer at Recorded Future. “In most cases, vendors won’t have the same levels of cybersecurity maturity, staffing or budget as their large enterprise customers. Attackers exploit this imbalance in supply chains.”
The recent DXS International incident is a reminder of “how effectively attackers are targeting the weak underbelly of supply chains”, says LaTulip. “Threat actors are exploiting the trust that exists between large businesses and smaller suppliers, using those vulnerabilities to pick apart and exploit high-value targets.”
The core challenge to IT supply chains
Part of the problem is that many firms lack visibility into their supply chains, creating gaps for adversaries to exploit. “Many organizations depend on hundreds of suppliers, yet have limited insight into how secure they really are,” says Davies-Webb. “The problem quickly compounds when you start to consider fourth and fifth party risk.”
This is made more complex by the fact that global supply chains are “inherently difficult to monitor”, says Nicola Taylor, chief operating officer at ScotlandIS. “The scale, complexity and interdependence of it all make it harder to track vulnerabilities and enforce safety standards consistently.”
At the same time, even when due diligence is carried out at onboarding, security can degrade over time, Davies-Webb warns.
Additionally, governance strategies aren’t keeping up with the fast-moving threat landscape. “While third party risk is just one element of the supply chain, it is the biggest concern because so many organizations depend on external partners without truly understanding their security maturity,” says Pierre Noel, field CISO at Expel.
This problem is amplified by “a reactive culture”, says Noel. He thinks many organizations treat cyber risk as “a cost center”, investing meaningfully “only after something bad happens”.
“Boards understand fraud, but they don’t instinctively understand breaches,” he explains. “Without regulatory pressure or clear return on investment, security remains a box-ticking exercise.”
Supply chain regulation
Various regulations are forcing organizations to take supply chain risk more seriously, which is a good thing. However, keeping up with a vast set of requirements is also increasing pressure and stress on firms, says Davies-Webb.
Laws such as the UK Cyber Security and Resilience Bill and the EU CRA require firms to demonstrate oversight of supplier security – not just their own. “That means mapping dependencies, enforcing standards and proving compliance,” Davies-Webb explains.
Yet organizations are still building the capability to map their suppliers, which is not an easy task for global companies dealing with hundreds or thousands of third parties. “Compliance can quickly become a paperwork exercise unless it is backed by genuine security monitoring and risk management,” says Davies-Webb.
Another challenge lies in the UK’s Cyber Security and Resilience Bill and the EU CRA’s enforcement of “unprecedented transparency”, adds Ivan Milenkovic, vice president risk technology EMEA at Qualys. The CRA, for instance, mandates a Software Bill of Materials (SBOM) and requires the reporting of actively exploited vulnerabilities within 24 hours.
Meanwhile, there is still uncertainty around what the final form of the UK Cyber Security and Resilience Bill will be, says Harry Mason, head of client services at Mason Infotech. Adding to the load, other EU regulations such as the Network and Information Systems 2, (NIS2), also include requirements those operating in the bloc need to consider.
Increasing resilience
Supply chain security can be challenging, but there are a few steps businesses can take to ensure they are as resilient as possible. Improving supply chain security requires “a proactive and organization-wide approach”, says Chris Brown SVP UK market leader at NCC Group.
As a first step, he advises “mapping suppliers across all tiers to uncover hidden dependencies and gain full visibility”.
One of the most effective ways to increase third party security is through procurement, says Taylor. This means requiring evidence-based security assurance, clear obligations around patching, access controls and incident response as part of the process, she says. “And making sure governance frameworks are formalized, whether through contracts or regular audits, helps companies to stay on top of it.”
Basics such as Cyber Essentials certification, strong password policies and multi-factor authentication “should be non-negotiable”, Mason adds.
It’s also important to anticipate disruptions through scenario planning and stress-testing, and to continuously monitor suppliers, says Brown.
To boost supply chain resilience, organizations must treat suppliers as “an extension of their own environment”, Davies-Webb advises. “Start with identifying which suppliers present the greatest risk based on access and data sensitivity, and break these out into an appropriate tiered model.”
Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.
-
Acemagic Kron Mini K1 reviewReviews A well-built and smartly designed entry-level mini PC is otherwise let down by hardware that's far too old for how much you'll need to pay
-
Google Cloud Next 2026: Scaling AI agentsITPro Podcast The hyperscaler is going all in on full-stack AI deployment, underpinned by in-house innovations such as TPUs
