Your Supply Chain Is Not a Peripheral Risk. It Is Your Greatest Vulnerability

134 Views

Recent high-profile cyber breaches have made uncomfortable reading for business leaders across every sector. Incidents in the last 12 months at Jaguar Land Rover and Marks & Spencer point to a widespread failure to treat the supply chain as a live attack surface.

Most organisations have invested heavily in their own cyber defences. But, the supply chain, by contrast doesn’t receive the attention it deserves with many organisations only completing a yearly questionnaire to pass a compliance audit and not taking real time actions to address potential vulnerabilities.

The attitude towards supply chain security needs to change if organisations are to move to becoming more secure and resilient both today and in the future. Supply chain security gaps can no longer be seen as minor oversights, they need to be treated as critical vulnerabilities.

According to the UK Government’s Cyber Security Breaches Survey 2025, just 14% of UK businesses reviewed the cyber risks posed by their immediate suppliers in the last 12 months. The number falls further still when you look beyond tier-one relationships into the wider supply ecosystem.

The real risk is not third parties. It is permanent access

The instinct is to frame supply chain security as a problem of third-party risk. But that framing misses something important. Organisations do not get breached simply because a supplier exists. They get breached because suppliers are over-trusted once they are onboarded, then quietly forgotten. Access is granted, rarely revisited, and almost never reduced.

What that creates is a population of accounts and access pathways that persist long after the justification for them has changed, or in some cases, disappeared entirely. When people leave a supplier organisation, those accounts do not always follow them out the door. When a supplier’s own controls weaken over time, nobody is checking. And when an adversary compromises a downstream supplier and begins traversing their way up the chain using perfectly legitimate credentials, the defences you have built around your own environment offer no meaningful resistance, because the attacker is coming in through an approved route.

The risk is not the third party. The risk is permanent access in a constantly changing environment.

You cannot manage what you cannot see

Suppliers accumulate in organisations without systematic oversight. Teams procure tools, services, and technical support independently. Contracts get signed and relationships begin without the knowledge of those responsible for managing supplier risk. By the time anyone attempts to map the full landscape, the picture is considerably more complex than the official supplier list suggests.

At an event last year, a CISO for a major airline described beginning a supply chain security programme not with assessment, but with mapping. He drew out the entire passenger journey and identified every third-party dependency at each stage. What emerged was a supply chain far broader than his organisation had previously recognised. You need to do the same: understand the full ecosystem, rank suppliers by criticality, and identify who has access to your systems. A one-person consultancy buried in tier three may carry more risk than a large, well-known provider, precisely because nobody is watching it.

Compliance is a baseline, not a guarantee

There is an understandable temptation to rely on certifications and questionnaires as a proxy for assurance. If a supplier holds ISO 27001 or has passed Cyber Essentials Plus, it is natural to assume that a meaningful level of control is in place.

The problem is that certifications confirm what an organisation looked like on a particular day. Cyber Essentials Plus is renewed annually, much like a car MOT. A supplier can be in excellent shape on the day of audit and in a significantly weaker position the following day if patching lapses, logs go unreviewed, or staff turnover leaves gaps in access management.

Sending a supplier a checklist asking whether policies exist and controls are in place provides something to point to if things go wrong, but it does not provide assurance that those controls are functioning. Active, independent assessment is a different exercise entirely, and for critical suppliers, it is the only approach that gives you genuine confidence.

What the regulatory landscape is telling you

It would be a mistake to view supply chain security purely through the lens of breach avoidance. NIS2, DORA, and the UK Cyber Resilience Act all place significant obligations on organisations to demonstrate active oversight of their supply chains, across financial services, regulated industries, and commercial supply chains alike. Organisations with documented criticality registers, evidence-based assessments, and clear remediation plans will be far better positioned to respond. Those still relying on periodic questionnaires will find themselves exposed, both operationally and in terms of regulatory standing.

Where to start

The priority is visibility. Map your supply chain before you attempt to manage it. Understand who is in your ecosystem, what access they hold, and what the impact would be if they were compromised or unavailable. Rank suppliers by criticality, not just by contract value or brand recognition.

From that foundation, build a management approach that is proportionate to the risk each supplier represents. Critical suppliers with system access require active, evidence-based assurance. Lower-risk suppliers require less intensive oversight. The approach should be calibrated, not uniform.

Supply chain security is no longer a background compliance task. For organisations that want to protect their operations, their customers, and their reputations, it is one of the most pressing operational priorities of the moment.