Background:
Cyberattacks on supply chains in 2025 have become more frequent and severe, moving from isolated incidents to major multi-sector crises. These crises involve data theft in software patches, ransomware disrupting food, pharmaceutical, and financial pipelines. As attackers target vendors as entry points, defensive measures must adapt. This includes enhanced vendor vetting, code provenance controls, firmware security, and robust third-party risk response.
As the recent cyber-attacks on UK retailer Marks Spencer and other retailers clearly evidence, all that threat actors need is a single gap in a victim organisation’s defences to create terms of millions of pounds worth of damage. This means that companies must have a clear picture of their organisation’s entire attack surface, including their entire supply chain ecosystem and the relevant cybersecurity risks
UK retailer Marks & Spencer’s first move following recovering from a recent socially-engineered cyber-attack, which cost the company over £100 million, has been to attempt to secure its entire food supply by acquiring Gist, the logistics provider to its food arm, for £145 million, with the supermarket chain “taking control of our food supply chain for the first time in our history”.
The growing threat of supply chain attacks for retailers is further evidenced by a recent ransomware attack on logistics firm Peter Green Chilled, which supplies supermarket chains including Tesco, Sainsbury’s, and Aldi.
Although the retail sector encompasses extensive product supply chains, every company across all sectors is now increasingly reliant on an expanding array of contractors and suppliers of diverse digital and non-digital services. Supply chains have transcended their traditional role as mere logistical networks and have evolved into pivotal ecosystems that underpin the success of modern businesses. Nevertheless, as these intricate systems undergo digital transformation, they have become increasingly vulnerable to cyberattacks.
Consequently, the optimal practice entails conducting a comprehensive risk assessment of the entire supply chain and devising a coordinated incident response plan that clearly delineates the respective roles and responsibilities of both the organisation and the contractor in the event of a security breach. While this sounds simple in theory, constantly expanding supply chains composed of contractors and numerous third-party digital services and applications make this task daunting and near impossible for all but the best-funded companies. In reality, very few organisations have a clear idea about the number of suppliers they have, the data involved in each transaction, and their reliance on digital means. Furthermore, employees often download third-party online services and apps on company devices without necessarily informing their IT departments.
As a result of the above, an easily identifiable security perimeter no longer exists. Adding to the above, when a contract, even one from a bona fide and thoroughly vetted supplier, concludes, access privileges may also not be promptly or comprehensively revoked, potentially creating a vulnerability for security risks. Contractors are also frequently unaware of or fail to comply with their client organization’s industry-specific regulations and compliance standards.
Common Risks Associated with Third-Party Suppliers
Even in the case of major and critical suppliers, there is frequently a lack of transparency on both the contractor’s and the client organisation’s side where cybersecurity is concerned. For example, the company may have limited visibility of the contractor’s security practices, exposing several glaring weaknesses. These often stem from the external nature of the relationship and differing security practices. These include:
- Broader access to systems and data that has been granted to contractors than is strictly necessary for their specific tasks, increasing the potential impact if the contractor’s accounts become compromised.
- Ambiguities about data ownership and responsibility in the event of a security incident involving the contractor’s own systems.
- Once a company’s security has been breached, there is a knock-on effect where the victim organisation’s own clients become vulnerable to further supply-chain attacks, potentially incurring the company significant additional costs and potential loss of business.
- Unapproved technology, known as ‘shadow IT’, and abandoned resources can easily go unnoticed by IT teams and can provide entry points for malicious threat actors.
- Contractors also have their own supply chains of which their clients will have little or no knowledge and which may not be adequately secured, providing additional entry points for cybercriminals.
- The risk of a disgruntled former contractor intentionally introducing vulnerabilities or exfiltrating sensitive information.
- Breaches caused by unguarded third-party attacks can also fall foul of regulations such as NIS2, DORA, and ISO 27001and result in heavy fines and other penalties.
The fact that even the organisations with the highest cybersecurity maturity frequently remain vulnerable to supply-chain attacks is evidenced by an advisory joint warning issued in 2023 by the US National Counterintelligence and Security Center, the FBI, and the US Air Force saying that foreign intelligence services now regard US space-related innovation and assets as valuable opportunities to acquire vital technologies and expertise. The chief cause for concern is a widening window of vulnerability that has been inadvertently opened by third-party suppliers to the space programme.
That proves that even for organisations whose cybersecurity is a core part of their overall strategy and operations they cannot fully secure their entire supply chain and those of their suppliers, meaning that in some cases they lack maturity in their cybersecurity programs, and are often faced with a truly daunting task if they are to adequately protect themselves against cyber-attacks of all kinds.
The Solution
For businesses aiming to safeguard their operations, supply chain risk management is not just a regulatory mandate; it’s a critical countermeasure for protecting sensitive data, ensure operations and maintaining trust. But there is no ‘quick fix’ for such a complex and rapidly evolving threat. What is required to manage the problem is a thoroughly holistic approach.
Obrela recognises the complexities that organisations face in managing third-party cyber security risks. Through its Managed Risk and Controls (MRC) for Supply Chain encompasses the collection, analysis, and evaluation of information on security processes and practices currently in place. and identification of areas that require remediation actions. MRC combination of platform and service (advisory services) capabilities materializes continuous risk monitoring that delivers real-time insights into the cybersecurity posture of third-party vendors. Monitoring the maturity and the effectiveness of the relevant controls and monitoring the relevant key risk indicators, ensures businesses can promptly address vulnerabilities as they emerge. MRC also emphasises proactive measures to reduce risk. Identifying weak points within the supply chain enables businesses to implement targeted solutions before vulnerabilities are exploited.
MRC enables real-time fusion of threat-related data with workflow data from governance, risk, compliance and operations security activities, allowing for identification and assessment of actual risks, not just threats, in a customer-focused and risk-based context. MRC for Supply Chain solution (part of MRC platform), is designed to proactively manage cybersecurity risks, and to ensure compliance with industry regulations, standards and best practises, including regulations such as NIS2, DORA, and standards / frameworks such as NIST CSF and ISO 27001. Comprehensive risk and compliance assessments using automated tools, standardised frameworks and advisory services allow the MRC for Supply Chain solution to evaluate third-party providers against both regulatory and organisational requirements. This ensures vendors align with critical security policies and standards.