Tag: Cyber Risk Management (Consultancy)

Written by Hattie Irving – Cyberfort Security Consultant

With the UK Government’s 2025 Cyber Security breaches survey reporting that just 14% of UK companies have reviewed their supply chain risks posed by their immediate suppliers, and 7% have reviewed their wider supply chain in the last 12 months is it time organisations started to take their supply chain security risks more seriously?

At Cyberfort in recent months we have been exploring why supply chain security is still such a ‘blind spot’ for many organisations. Afterall most people reading this article will know supply chains are widely interconnected and will have some understanding of security risks posed by their supply chain. So why is this area of cyber security still not being taken seriously enough? Are supply chains too complex for organisations to map or is supply chain security being left behind with other conflicting priorities taking precedence?

In this article we explore why supply chain cyber security needs to be taken more seriously, practical actions organisations should undertake and how to mitigate supply chain compromise risks.

Dispelling the Supply Chain Security Control Myth’s

Let’s start with a reality check. Most organisations have direct relationships with tens or hundreds of third-party suppliers. Those suppliers have their own suppliers, and those suppliers have theirs. Within these layers of separation, an organisations sensitive data and critical systems are potentially exposed to thousands of companies, operating under security postures your organisation has never reviewed, and you can’t effectively monitor.

Unfortunately, along the way supply chain security has fallen into a ‘tick-box exercise’ trap. Many organisations are building their supply chain security on a foundation of trust and verification that assumes good faith, static relationships, and accurate self-reporting; this as opposed to auditing and testing suppliers’ security controls.

But the reality is supply chains are dynamic, interconnected, and muddled. Compliance reports provide a ‘point in time’ snapshot that are outdated the moment they are published. It reflects what they believe to be true, not what actually is true.

From our experience at Cyberfort we have identified 5 common challenges organisations are facing when it comes to supply chain cyber security:

Low recognition or understanding of the risk that poor supply chain security can pose

Lack of investment to protect against supply chain risk

Limited visibility of supply chains

Insufficient tools and expertise to evaluate suppliers cyber security practices

Not knowing what you can ask of your suppliers

These challenges may appear easy to recognise and resolve on the surface. But the reality is, due to the complexities involved with supply chain security, the actions required to overcome them can be challenging without expert support.

Why is supply chain security a problem?

Managing supply chain security is the responsibility of all businesses.  Organisations who do not consider their cyber security posture an important part of their supply chain operations are putting their customers and potentially industry at risk of attack.

A lack of understanding of your organisations supply chain can leave you vulnerable to:

Software supply chain attacks – attackers will undermine security on a software system, library or product enabling access to organisations which use the product. SolarWinds is a key example of a software supply chain attack when a routine patch deployed by the company spread malicious software to their customers which had been added to the application after SolarWinds had audited their code. Any user using the infected Orion software and connected to the Internet would now be compromised.

Service provider supply chain attacks – attackers will target managed service providers (MSPs) or IT infrastructure vendors to reach as many clients at once. This was brought to global attention last year when M&S, Co-op and Harrods were all compromised by DragonForce who used social engineering to undermine security of IT helpdesk staff at Tata Consultancy Service (TCS).

Hardware supply chain attacks – malicious actors will undermine the authenticity of physical components during manufacturing to gain persistence in their targeted supply chain. One of the early examples of hardware supply chain attacks is Stuxnet – a worm introduced into the network of the Iranian nuclear defence facility via infected USB drives combining both hardware and software attack.

So what does this tell us? Your organisation may have already been indirectly compromised without even realising it.

Even if you detect anomalous activity in your environment, determining whether it originated from your infrastructure or came through a supplier is difficult. Modern attacks are designed to blend in with legitimate traffic, leveraging authorised access and trusted relationships to avoid detection.

When supplier credentials are compromised/stolen and used to access systems, the activity looks legitimate. When malicious code is injected into a software update, your systems install it voluntarily. When a compromised supplier employee account accesses your data, all the logs show is authorised access.

This creates a detection problem that most security teams are not equipped to solve.

Compliance doesn’t equal supply chain security

One of the major reasons supply chain security remains a ‘blind spot’ for many organisations is the misconception that ‘passing a compliance audit must mean we are secure’.

ISO certifications, SOC 2 reports, and supplier security questionnaires are all important and  have their place. But they create the appearance of diligence without reducing risk. Compliance frameworks are minimum baselines, not security guarantees. They measure what organisations claim to do, not what they actually do. They assess controls at a point in time, not continuously. Suppliers holding ISO 27001 is like having a valid MoT, your car has obtained the minimum roadworthiness. However it does not tell the us anything about that vehicles performance, how it is driven or how it performs under high levels of strain. Just because it has a pass today does not mean it will still be usable next week or month.

It’s important to note that the threat landscape evolves daily. New vulnerabilities are discovered, attack techniques emerge, suppliers change their infrastructure and implement new security practices. Quite often these recent changes are not reflected in certifications your organisation reviewed during supplier onboarding.

The harsh reality is an organisation can have a fully compliant supply chain and still be compromised.

Understanding Visibility Gaps

Most organisations have no idea what’s actually happening in their supply chain. As identified by the UK Government’s Cyber Breaches survey mentioned earlier in this article. Most businesses know who their suppliers are and might know what data and services they access. But they almost certainly don’t know what their suppliers’ suppliers are doing, what subprocesses are involved, where data is actually stored, or who has access to their systems at any given moment.

You cannot defend what you cannot see. You cannot detect anomalies in relationships you don’t monitor. You cannot respond to incidents in systems you don’t understand. You cannot recover from breaches when you don’t know how deep the compromise goes.

Modern attack methods exploit this gap. They compromise the parts of your supply chain that your organisation is not watching or monitoring and move through connections you didn’t know existed.

Does your Incident Response Plan incorporate your organisations supply chain?

Imagine discovering a breach tomorrow. Your incident response plan leaps into action. You isolate systems, contain the damage, begin forensic analysis. You notify customers, regulators, stakeholders.

Now imagine discovering that the breach originated from a supplier. Which supplier? When did it start? What data was accessed? How many other customers of that supplier are affected? Does the supplier even know they’re compromised?

Welcome to the supply chain incident response nightmare.

Traditional incident response assumes you control the compromised infrastructure. But in supply chain attacks, the initial compromise happened somewhere else, possibly weeks or months ago, in systems you don’t own, can’t access, and may not even know about.

Your ability to contain the breach depends on a third party’s ability to detect it, understand it, and respond to it. Your timeline for notification is limited by how long it takes the supplier to realise they’re the source. Your recovery depends on trusting that the supplier has fully remediated their systems before you re-establish the connection.

This is not a position you want to be in.

Do you know what your organisation can ask of its suppliers?

Supplier assessment can be easily overcomplicated. At Cyberfort we suggest you start small and map suppliers out – include software vendors, cloud services and anyone who has access to your data. From here rank them by criticality to your operations – who has the most access, who handles the most sensitive data and who can your business not survive without.

Once you’ve got a comprehensive list of your suppliers, track their answers to the following questions to better understand your supply chain security.

  • Do you have ISO27001 or cyber essentials certification?
  • Have you had a data breach, when and what happened?
  • How do you train your staff on security?
  • Have you assessed your suppliers security?
  • How is access to data controlled within your organisation?

How can you use your suppliers answers to better protect your business

Once you have defined your supplier’s security posture and understand what they do to protect themselves you can begin to think how to better protect your organisation.

Stress testing – test your suppliers security measures through tabletop and live exercises. Use simulations of low and high impact events to understand the limitations of your incident management process.

Incident and crisis management – Establish an effective incident management process to improve business resilience, support business continuity and reduce financial impact.

  • Ensure you have an agreed incident management process with your suppliers.
  • Run a crisis simulation exercise to model supply chain compromise and work through the initial steps your organisation would undertake.
  • Be prepared to provide support and assistance to suppliers where security incidents have thew potential to impact your organisation or the wider supply chain.
  • Share information with suppliers to help prevent them falling victim to cyber-attacks.

Be aware of your horizon  – changes in the types of cyber threat you are experiencing, vulnerabilities, best practices and technology may impact your supply chain security. Be aware of changes to geo-politics and the economy which may impact your business and its overarching supply chain security. Consider undertaking a threat modelling session to understand your key threats and how they may materialise for your business.

Ensure contracts have clauses to enforce high cyber security standards for suppliers. Any which have access to your company data should be compliant with your defined cyber security standards.

Consider cyber security insurance to work in parallel with your protective measures. If the worst case scenario does happen insurance will cover ongoing business costs which have arisen from dealing with a breach.

Final Thoughts

Managing supply chain risk doesn’t need to be a complex and time-consuming endeavour, taking small informed steps to begin mapping suppliers is the starting point. Ask them the right questions and plan appropriate mitigations around them and their suppliers is a great way to get started to fortify your businesses cyber operations. Start small with just one supplier to outline a process which works for you and your suppliers and build from there.

In 2026 it’s important to take supply chain security seriously. Based on what we have seen over the past 12 months it is highly likely your supply chain is already compromised. Somewhere in your supplier ecosystem, there’s a vulnerability waiting to be discovered, credentials waiting to be stolen, or an access point waiting to be abused.

The organisations that survive the next generation of supply chain attacks won’t be the ones with the most certifications or the longest supplier questionnaires. They’ll be the ones who built systems that assume compromise and invested in continuous visibility and response capabilities required to operate in a hostile environment.

The question is no longer whether you’ll face a supply chain attack. It’s whether you’ll detect it and bounce back from it should the worst happen and your organisation is breached. If this all feels too complex for you and your team seek professional guidance from an MSSP partner with the right credentials.

For more information about Cyberfort Supply Chain security services contact us at [email protected] and one of our experts will be in touch.

Written by Declan Thorpe – Cyberfort Information Security Consultant

Cyber incidents rarely begin with a clear warning. Most start with small signals, a login that doesn’t fit a pattern, a process running where it shouldn’t, a connection that looks out of place. The organisations that spot these signals early tend to have more options, more time and more control over what happens next.

The incident Co-op faced in April 2025 highlighted this reality. Public reporting shows that the organisation acted early, intervening before the attackers were able to move deeper into systems or attempt more damaging activity. Early intervention of this kind usually reflects an ability to recognise unusual activity quickly and understand enough about the situation to respond with confidence.

In a year marked by several high-profile retail cyber incidents, Co-op’s response stood out for its steadiness. The organisation acted early, demonstrating the value of understanding your environment well enough to recognise when something is out of place and intervene before the situation grows. The incident reinforced that visibility is more than a technical concept; it is a practical enabler of timely, confident decision-making that can meaningfully influence the trajectory of an incident.

A quick look at what happened

Co-op experienced a cyber-attack that resulted in unauthorised access to personal data belonging to a very large number of its members. Public reporting linked the activity to known threat actor group, DragonForce. While the attackers were able to copy certain data, they were prevented from moving deeper into systems or deploying destructive tools.

Co-op’s leadership later explained that the organisation had clear visibility of the attackers’ activity, describing it as being able to “see every mouse click.” That level of insight, based on what was publicly shared, helped the organisation understand what the attackers had accessed and how far the intrusion had progressed. This clarity supported the investigation and allowed decisions to be made based on observable activity rather than assumptions.

Even with early detection and containment, the attack created operational challenges. Stores experienced stock shortages, some customers encountered payment issues, and the organisation reported a noticeable financial impact. Additional one-off costs were incurred as part of the response and recovery effort.

Despite this, the outcome could have been significantly more severe. Early insight into the intrusion helped prevent escalation, reduce uncertainty and support a more controlled response. It also highlighted the value of understanding what is happening inside an environment before the situation accelerates.

Why this was really a story about visibility and early detection

The Co-op incident illustrated how much difference early detection makes during a cyber-attack. Many organisations focus on recovery, but this case highlighted the decisions that come before recovery even begins, the moment when something unusual is first noticed and teams need to decide what to do next.

Several practical realities became clearer.

Early detection gives organisations more time and more options

Spotting unusual activity early allows teams to intervene before attackers escalate their access or attempt more damaging actions. Time is one of the most valuable assets during an incident, and early detection effectively creates more of it.

Visibility doesn’t require a large budget

A fully staffed SOC is valuable, but not every organisation can afford one. What matters most is understanding your assets, knowing what “normal” looks like and having monitoring in place that highlights meaningful deviations. These fundamentals are achievable for organisations of all sizes.

Informed decisions depend on knowing your environment

When teams understand their systems, dependencies and typical behaviour, they can interpret signals more accurately and avoid acting on assumptions. Visibility supports clarity, and clarity supports better decisions.

Containment is most effective when guided by insight

Containment works best when teams know what the attacker has done and what they haven’t. That clarity comes from visibility, not guesswork. Early insight helps teams act with precision rather than disruption.

The incident showed that visibility is not just a technical capability, it is a foundation for better decision-making. When organisations understand what is happening early, they can respond with greater confidence and reduce the likelihood of a wider operational crisis.

What Organisations Can Learn and Apply Right Now

Incidents like the one Co-op experienced highlight how important it is for organisations to understand what is happening inside their environment before an intrusion has the chance to escalate. The lessons are not unique to retail, they apply across sectors, especially where operations and customer facing systems depend on accurate, timely insight.

The following areas stand out.

Know Your Assets

You cannot detect what you cannot see. Organisations benefit from:

  • a clear, current view of their systems
  • understanding which assets matter most
  • awareness of where sensitive data lives
  • visibility of external facing services

Asset visibility is the foundation on which detection capability is built, if you don’t know what is in your environment then you don’t know what you are protecting. It reduces blind spots and helps teams recognise when something is out of place.

Monitor What Matters

Monitoring does not need to be complex or expensive. What matters is:

  • logging activity from key systems
  • watching for unusual authentication patterns
  • tracking changes to critical configurations
  • alerting on deviations from expected behaviour

Even basic monitoring can surface early signals that something is wrong.

Establish Clear Escalation Paths

Early detection only helps if teams know what to do next. Organisations benefit from:

  • simple, well understood escalation routes
  • clarity on who investigates alerts
  • thresholds for when to act
  • confidence that raising a concern is the right thing to do

This turns visibility into action. It ensures that when something unusual is spotted, it does not sit unnoticed or unaddressed.

Use Early Insight to Guide Containment

Containment is most effective when informed by what you can see. Early insight helps teams:

  • isolate affected systems
  • prevent escalation
  • avoid unnecessary disruption
  • focus recovery efforts where they matter most

This is where visibility directly shapes the outcome. It allows containment to be targeted rather than broad, controlled rather than reactive.

Build Recovery on a Verified Safe Place

Recovery is easier and safer when systems remain intact, and the organisation has a clear view of the intrusion. Early detection helps preserve the conditions needed for:

  • restoring from trusted backups
  • validating system integrity
  • reintroducing services safely
  • avoiding reinfection

Safe recovery starts with early insight. When organisations understand what has happened, they can restore services with greater confidence and predictability.

Treat Visibility as a Resilience Capability

Visibility is not just a technical feature; it is a foundation for resilience. It enables:

  • earlier intervention
  • clearer decision-making
  • more accurate scoping
  • safer recovery
  • reduced operational impact

Organisations that invest in visibility are better positioned to respond calmly and effectively when the unexpected happens. It is a capability that supports every stage of an incident, from detection to containment to recovery.

A more constructive way to look at It

The Co-op cyber-attack was disruptive, but it also highlighted where organisations can strengthen their resilience. It showed how early detection can shape the direction of an incident, and how understanding your environment supports more confident decision-making.

Incidents like this are not just challenges, they are opportunities to learn. They reveal where visibility can be improved, where monitoring can be strengthened and where preparation makes a meaningful difference. They also remind organisations that resilience is not built on a single control or a single team; it is built on the combined effect of awareness, clarity and the ability to act at the right moment.

For many organisations, the most important lesson is that early detection is achievable. It does not require a large security operation or complex tooling. It requires knowing your environment well enough to recognise when something is out of place, and having the confidence to act before the situation grows. That capability, the ability to notice, interpret and respond, is what turns a potential crisis into a manageable event.

The organisations that take these lessons on board tend to respond with greater confidence and experience less disruption when the unexpected happens. They invest in visibility not because it prevents every incident, but because it gives them the insight, they need to make better decisions under pressure. You need visibility, awareness and the ability to recognise when something isn’t right.

Seeing clearly, and seeing early, can change the entire trajectory of an incident.

For more information about Cyberfort security services contact us at [email protected] and one of our experts will be in touch.

The rise of AI tools has been the fastest technology adoption curve in history. In under two years, millions of small businesses have started using tools like ChatGPT, Claude, and Midjourney to write marketing copy, summarise reports, or answer customer questions.

But as AI gets smarter, the risks become sharper and so does the need for governance.

The Double-Edged Sword of AI in SMB’s

AI can turbocharge productivity. It drafts documents, analyses trends, and automates repetitive admin at a fraction of the cost of human time. But behind the promise lies a fundamental truth: AI is only as safe as the data and instructions you feed it.

When staff paste client information, financial details, or internal plans into public AI tools, that data can be stored, processed, and used to train external models. It leaves your organisation permanently exposed, even if the upload was “just a quick test.”

Real-World Warnings

  • Samsung engineers accidentally leaked confidential source code by asking ChatGPT for help debugging it.
  • AI-generated phishing and voice cloning are now indistinguishable from the real thing -cybercriminals use these tools to impersonate CEOs and authorise fraudulent payments.
  • Marketing teams have faced copyright and privacy disputes after publishing AI-generated content built on protected data.
  • One SME experimenting with agentic AI bots – autonomous systems that act via APIs – accidentally flooded its internal Slack with thousands of automated messages, paralysing workflow for a day.

These aren’t hypothetical. They’re the early warning signs of a new risk class: AI misconfiguration and misuse.

Governance Is the New Firewall

AI governance doesn’t mean bureaucracy; it means boundaries. Businesses need to start taking this seriously and start by mapping where AI touches their business. For example, key questions which should be asked to assess where and how AI is being used in a business include:

  • What tools are employees using?
  • What data do they process?
  • Where do outputs go (to clients, websites, systems)?

Then, once you have answered the questions, a one-page AI Usage Policy should be created covering:

Approved tools and when to use them.

Data rules – never input confidential or identifiable information into public models.

Oversight – who reviews outputs before publication.

Accountability – who owns AI risk in your organisation.

Once you know where AI sits in your workflow, your MSP can help enforce controls like data loss prevention, sandboxing, and access logging.

The “Human in the Loop” Principle

AI is powerful but not autonomous. Even so-called “agentic” systems need human supervision.
Every AI-driven process should have a human checkpoint before any irreversible action happens (emails sent, payments triggered, data deleted).

Think of AI as an intern – fast, tireless, but prone to confidently getting things wrong.

Security Opportunities

There’s good news too: AI can strengthen your defences when used wisely. Modern detection tools use machine learning to identify anomalies faster than human analysts ever could. AI can summarise logs, flag risky behaviour, and help non-technical teams spot patterns they’d otherwise miss.
The difference between risk and reward is control.

Policy, People, and Partnership

The SMB advantage is agility, you can adapt faster than enterprises. Use that agility to get ahead with a few simple practices:

  • Assign an AI Lead to track developments, risks, and opportunities.
  • Include AI in your risk register and data governance policies.
  • Educate your teams: if they don’t understand how AI handles data, they can’t use it safely.
  • Work with your MSP to implement guardrails, such as API monitoring, MFA, and content-filtering on AI platforms.

Final Thoughts

AI isn’t the enemy. It’s the next evolution of productivity, and those who learn to govern it early will win. But governance can’t lag behind adoption.

As one security researcher put it: “AI doesn’t just make your business faster – it makes your mistakes faster, too.”

The question isn’t whether you’ll use AI; it’s whether you’ll use it safely. For more information about Cyberfort AI governance, risk and security services contact us at [email protected] and one of our experts will be in touch.

Artificial Intelligence (AI) – one of the most discussed topics in the world of technology. Everyday people are releasing reports, thoughts and articles on what AI can potentially do and the positive impact it will have on businesses, government organisations and society both today and into the future.

Cyberfort
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.