In recent years, the cyber security landscape has shifted significantly. Trust has diminished and can no longer be taken for granted. Organisations once focused primarily on preventing external threats, but as systems have become more complex, even insiders are no longer fully trusted.
The rise of insecure supply chains has added to the problem, driving growing interest in a zero-trust approach – a security model that never assumes trust by default and requires continuous authentication with least-privilege access. Today, businesses must protect themselves from external hackers, insider threats, and vulnerabilities in their supply chains, which often prove the hardest to secure privileged access.
Key Takeaways for Businesses
- Supply chain cyber risk affects everyone
A security breach at a supplier could directly impact your data, operations, and reputation. - Supplier trust needs controls, not assumptions
Even well-known organisations have historically been compromised through third parties. - Manufacturing supply chains carry added risk
Remote access, legacy systems, and physical components can all introduce vulnerabilities. - Software supply chains are a prime attack target
Widely used platforms and updates can expose thousands of organisations at once. - Due diligence has limits
You can’t see every supplier risk, so systems should be designed to limit the impact of failure. - Your own security still matters most
Strong internal controls reduce the damage when external risks can’t be prevented. - Certifications support risk management, not guarantees
Cyber Essentials and ISO 27001 show baseline controls, but they don’t eliminate risk.
Supply Chain Attacks Through Service Providers
Over time, cyber criminals have noticed how organisations have become increasingly reliant on third parties. This is partly by design – outsourcing non-core functions is seen as financially efficient – but also the result of the spread of WAN networking, which allows services to be delivered remotely.
This reliance isn’t optional in many sectors. A functioning supply chain is fundamental to business, especially in manufacturing, where complex operations depend on a web of specialist suppliers and service providers.
A recent example is the supply chain attack involving Marks & Spencer in June 2024, where attackers compromised a third-party supplier, resulting in unauthorised access to sensitive employee data. This incident highlights how a breach at a service provider can directly impact even large, well-known organisations.
The lesson? Just because you’ve protected your own accounts doesn’t mean your suppliers have done the same. This was a surprise to many businesses. Now, instead of simply trusting suppliers, organisations set clear checks and controls, limit what suppliers can do, and keep an eye on their activity.
Read about the biggest cyber attacks, year by year.
Supply Chain Risks in Manufacturing
Manufacturers rely on a wide range of suppliers and could even grant them remote access to both office networks and critical factory systems.
Suppliers provide the continual delivery of parts, materials, and services that keep production running. However, these also introduce extra risks:
- Remote access by suppliers for maintenance or support can be a weak point, especially if protected by shared or weak passwords.
- Physical components or materials supplied to the business can introduce vulnerabilities – compromised hardware, counterfeit parts, or even software embedded in equipment could all put production at risk.
- Older or poorly segmented factory networks make it easier for cyber attackers to move from a compromised supplier connection or device into other parts of the business.
A disruption from a cyber attack, contaminated materials, or a supplier’s operational failure could halt production. Any delays can be costly, while a major incident can stop manufacturing altogether.
As manufacturers become more connected and reliant on their supply chains, it could be crucial to secure digital access points and carefully vet and monitor the integrity of goods and services received.
Why Software Supply Chains Are Prime Targets
Today’s software relies on many third-party components, making it difficult for organisations to track where vulnerabilities might be hidden. Criminals can exploit weaknesses in these dependencies – sometimes by tampering with code on public platforms like GitHub. Even when issues are found, identifying and fixing them isn’t always straightforward, especially if no patch is available.
Software supply chains are a prime target. For attackers, compromising widely used software or update channels opens new ways to reach thousands of organisations at once. This has driven a wave of large-scale supply chain attacks over recent years, including the following:
- Malicious code was slipped into the SolarWinds Orion network monitoring tool used by thousands of companies around the world. Estimates of the number of companies affected range into the thousands, making this the most widespread single-incident compromise in history. Ironically, a possible contributor to the breach could have been the company’s own overseas supply chain.
- Okta, based in San Francisco, delivers cloud-based identity and access management services. Thousands of organisations worldwide rely on its Single Sign-On (SSO), multi-factor authentication (MFA), and API access management solutions. Repeated attacks on the organisation resulted in October 2021 in the compromise of support files relating to 134 of its customers. This led to attacks targeting major infrastructure providers Cloudflare, BeyondTrust, and 1Password.
- The 2023 attack on customers of the MOVEit file transfer platform is believed to have compromised, to varying degrees, the data of up to several thousand organisations.
A common feature of these incidents is that most of the providers involved were not well known, despite their software or services being widely used by businesses. That’s how supply chains work; today’s organisations depend on many suppliers like these and don’t consider their security until something goes wrong.
This highlights a core challenge of modern business. It’s easy to say, “Don’t trust your suppliers,” but doing so leads to a far more complex reality. In this world, nothing can be taken for granted and constant vigilance is essential.
Read more about the top cyber security risks for businesses.
Cyber Security Certification for Supply Chain Risk Management
Supply chain cyber attacks continue to evolve and are a growing concern for UK organisations of all sizes. Certification to recognised schemes such as Cyber Essentials, Cyber Essentials Plus, or ISO 27001 can help organisations demonstrate that appropriate cyber security controls are in place to manage common risks, including those introduced through third-party suppliers.
Request a quote today or contact our team to find out more about the certification process.
FAQs: Cyber Risks in The Supply Chain
Some organisations assess the security of their partners before doing business with them, especially when dealing with technology suppliers. Our article on Shadow Compliance explores how organisations increasingly conduct paid but covert security checks on the public-facing side of a partner’s web presence.
One mitigation is to risk-assess suppliers and partners more actively, for example, by compiling a software inventory so they know what’s inside their applications. However, many now believe organisations should go much further than this. If third-party vulnerabilities can’t be fully known, the best protection is to design your internal network to account for that uncertainty.
The principles of zero trust sound simple enough until you realise that this approach requires organisations to stop trusting anything, including their own resources. In practice, this means mandating multi-factor authentication across all accounts, locking down all privileges, and segmenting the network to make lateral movement more difficult.
From a risk management point of view, due diligence on partners – and even their extended supply chains – makes sense. However, it can only go so far. Ultimately, organisations must prepare to be surprised by their own vulnerabilities.
For SMEs in particular, staying ahead of these risks means viewing your network as an attacker might. Is there something you’d rather ignore because it’s difficult to patch, for example, an out-of-date OS controlling a key piece of equipment? In security terms, your customers’ supply chain starts with that machine and how it might be exploited by attackers.
Today’s networks often have overlooked entry points, and while external supply chain risks are hard to control, it’s usually internal weaknesses that open the door to attacks. You can’t manage every external risk, but securing your own environment is still the strongest defence.
Common approaches include restricting supplier access, requiring strong authentication, segmenting networks, and monitoring for suspicious activity. Regular checks of supplier systems and delivered products could help identify vulnerabilities before they impact production.
Certifications like Cyber Essentials, Cyber Essentials Plus, or ISO 27001 indicate that a supplier meets recognised cyber and information security standards. While certification does not guarantee complete security, it could demonstrate that certain baseline controls are implemented and subject to periodic review.
Looking to invest more in your cyber security? Read about how to talk to boards about cyber security investment.
