Why your biggest cyber risk might not be inside your organisation – Supply Chain security must be a business focus both today and in the future

The attack that starts next door

When security teams map their risks, they tend to focus on what they can see and control: their own infrastructure, endpoints, and perimeter. That instinct is understandable. It is also increasingly misaligned with how the most significant breaches of the last two years have happened.

The pattern is consistent. An organisation with mature security controls, a hardened perimeter, and a well-resourced IT team is compromised, not through their own systems, but through a supplier. A managed service provider with access to their network, a software vendor whose update mechanism became a delivery vehicle for malicious code, a cloud platform partner whose credentials were harvested and used to move laterally into the customer’s environment.

The attacker did not knock on the front door. They walked in through a side entrance that the target organisation had never fully audited, and in many cases, did not even know existed.

This is the defining characteristic of modern supply chain cyber risk. It does not respect the perimeter you have built. It exploits the trust relationships you have extended, often necessarily, often legitimately, to the network of third parties your organisation depends on to function.

The scale of the problem is structural, not incidental

It would be reassuring to treat high-profile supply chain attacks as edge cases: sophisticated operations carried out by well-resourced nation-state actors against strategically significant targets. The data does not support that reassurance.

According to the Verizon Data Breach Investigations Report 2025, more than 30% of data breaches now involve a third-party element. Blackberry’s 2024 survey of IT decision-makers found that more than 75% of software supply chains had been exposed to a cyber attack in the preceding twelve months. And the UK Government’s Cyber Security Breaches Survey 2025 found that only 14% of organisations had undertaken a formal security review of their supply chain in the last year.

Read those three figures together and the picture becomes clear. Third-party attacks are not rare. They are not declining. And the vast majority of organisations have not formally assessed the risk they carry through their supplier relationships.

This is not primarily a technology problem. It is a governance and visibility problem. Most organisations have grown their supplier base organically over years or decades, extending access and data-sharing relationships as the business required them, without building a proportionate framework for assessing and managing the security posture of those suppliers over time.

The result is a risk landscape that is both significant and largely invisible.

Why traditional approaches fall short

The conventional response to supply chain risk tends to rely on one of two mechanisms: contractual protections, or certification-based assurance. Both have genuine value. Neither is sufficient on its own.

A supplier’s ISO 27001 certificate, or their signed GDPR data processing agreement, tells you about their intent and their documented processes at the point the certificate was issued. It does not tell you about the controls that are actually operating today, in the specific parts of their business that touch your data and your systems. Certification can be narrowly scoped, out of date, or simply not reflective of the real-world security posture of an organisation at a given moment.

Supplier questionnaires suffer from a different but related problem. They are typically completed once, reviewed once, filed, and then largely forgotten, while the risk environment continues to evolve. A supplier that passed your assessment two years ago may have undergone significant organisational change, technology change, or personnel change since then. The questionnaire response that gave you comfort at the time has not been updated to reflect any of it.

The deeper issue is one of volume and capacity. A typical mid-sized organisation has dozens, sometimes hundreds of suppliers with some form of digital access or data-sharing relationship. Applying consistent, meaningful scrutiny to every one of those relationships, at the depth required to form a genuine view of security posture, is not feasible without a structured, risk-prioritised approach that distinguishes between the suppliers that represent real exposure and those that do not.

The five gaps that create real exposure

Through our work with organisations across financial services, professional services, engineering, and critical infrastructure, five specific gaps appear with consistent regularity.

The first is the absence of a consolidated supplier inventory. Most organisations cannot produce, without significant effort, a complete list of which third parties have access to their systems, what level of access they hold, and what data they can reach. That baseline simply does not exist in a structured, maintained form.

The second is the reliance on static risk pictures in a dynamic environment. Supplier relationships change. Personnel change. Technology changes. A risk assessment that does not have a defined refresh cycle is a record of how things were, not how they are.

The third is the gap between contractual assurance and operational reality. Contracts establish obligations. They do not verify compliance. The difference between what a supplier is contractually required to do and what their security controls actually look like in practice can be significant, and that gap is rarely visible without independent assessment.

The fourth is the absence of incident response planning that accounts for supplier failure. Most organisations have internal incident response plans. Far fewer have pre-agreed response playbooks that cover the specific scenario where a supplier is compromised and the organisation needs to contain, investigate, and communicate about that compromise quickly. When a supplier incident occurs, the organisations that respond well are those that had already mapped their exposure in advance.

The fifth is the growing commercial and regulatory pressure that makes this governance gap increasingly visible. Insurers are asking harder questions about third-party risk management as a condition of coverage. Regulated sectors face specific obligations around supply chain oversight. Enterprise customers are requesting evidence of third-party assurance as part of procurement processes. The organisations that cannot answer these questions clearly are finding that the absence of a supply chain risk framework carries direct commercial consequences.

The right approach: structured, risk-prioritised, proportionate

Effective supply chain risk management does not mean applying the same level of scrutiny to every supplier relationship. It means having a clear, defensible basis for understanding which supplier relationships represent the greatest exposure and directing your assurance effort accordingly.

That starts with building and maintaining a structured view of your supplier landscape: who has access, at what level, to what data and systems. It continues with a risk-prioritised approach to assessment that distinguishes between critical suppliers, significant suppliers, and low-risk relationships, and applies proportionate scrutiny to each tier. It is sustained through embedding supply chain security assessment into procurement and vendor management processes so that new relationships are evaluated consistently before access is granted, not retrospectively.

The output of this kind of programme is not just reduced risk. It is the documented evidence of due diligence that regulators, insurers, and enterprise customers are increasingly requiring and that boards need to be able to point to when the question of third-party risk management is raised.

When does this typically become urgent?

Supply chain cyber risk tends to crystallise as a priority at specific moments. Organisations approaching an insurance renewal are often asked to demonstrate their third-party risk management practices for the first time. Those going through merger or acquisition activity find that supply chain security is a growing focus of technical due diligence. Those onboarding a new critical supplier, a managed service provider, a cloud infrastructure partner, a key software vendor, recognise that they are extending significant trust and need to verify that it is warranted.

Public sector organisations facing procurement requirements, professional services firms whose clients are asking for evidence of supply chain assurance, and businesses that have recently experienced an incident (however contained) that involved a third-party element also consistently find that this becomes a priority quickly.

In each case, the trigger is different. The underlying question is the same: do we have genuine visibility of the risk we carry through our supplier relationships, and can we demonstrate that we are managing it?

Awards and Accreditations

blue light commercial logo

Contact Us

Cyberfort Ltd
Venture West,
Greenham Business Park, Thatcham,
Berkshire,
RG19 6HX

+44 (0)1304 814800

[email protected]


Cyberfort
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.