Supply chain cyberattacks are becoming unmanageable - and UK businesses are paying the price

1. Pro

Supply chain cyberattacks are becoming unmanageable - and UK businesses are paying the price Opinion By Chris Netwon-Smith published 28 November 2025

Why supply chain security can no longer be ignored

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)

2025 has already seen one household name after another make cybersecurity headlines.

From M&S to the Co-op and Harrods, this year has underscored how deeply connected, and how exposed, UK organizations have become.

Chris Netwon-SmithSocial Links Navigation

CEO of ISMS.online.

• Amazon Black Friday deals are live: here are our picks!

For example, when Jaguar Land Rover’s production line ground to a halt at the end of August, the cause wasn’t a parts shortage or logistics bottleneck - it was a cyber breach.

You may like

• Mitigating supply chain vulnerabilities
• I am a former Pentagon cyber operator, and this is my advice to SMBs when it comes to cybersecurity
• The resilient retailer’s guide to proactive cyber defense

Just weeks later, airports across Europe faced widespread disruption after attackers compromised Collins Aerospace’s MUSE software which is a critical platform that allows airlines to share check-in desks and boarding gates.

This proves that the threat is real, growing and already hitting home - businesses that fail to act now risk being the next to fall.

The warning signs were there all along

Back in 2021, Gartner warned that by 2025, nearly half (45%) of organizations would suffer a software supply chain attack. The latest numbers suggest that prediction was, if anything, conservative. According to IO’s 2025 State of Information Security Report, 61% of businesses experienced a supply chain breach in the past 12 months.

Nearly one-third of those incidents resulted in operational disruption or financial loss. And six in ten security leaders now describe the risks from third parties and supply chain partners as “innumerable and unmanageable.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Why attackers exploit the smallest suppliers

Modern organizations rely on a complex mesh of connected systems, cloud platforms and third-party providers. Sensitive data now flows continuously between external partners - from marketing agencies and logistics firms to data processors and SaaS vendors. Each link in that chain is a potential entry point.

As a result, threat actors have learnt that smaller vendors can be the weakest link. The cyberattack on retailer Mango in October illustrates this well. Attackers stole customer data not from Mango itself, but from one of its external marketing suppliers.

This “island hopping” approach is now standard practice among cybercriminals. Smaller partners often lack the resources or expertise to defend themselves - making them a convenient way into larger, better-protected networks. And limited budgets, small security teams and fewer formal risk processes, make containment much harder.

You may like

• Mitigating supply chain vulnerabilities
• I am a former Pentagon cyber operator, and this is my advice to SMBs when it comes to cybersecurity
• The resilient retailer’s guide to proactive cyber defense

Overconfidence is the biggest threat of all

While attackers are evolving, many organizations still underestimate just how vulnerable they’ve become. Many cybersecurity leaders express confidence in their breach response capabilities.

This confidence often stems from past investment in security infrastructure and the existence of formal response plans.

But confidence doesn’t always equal capability. In practice, many organizations still struggle with visibility across sprawling vendor ecosystems, fragmented data flows and legacy systems that can’t adapt fast enough to modern threats.

The supply chain threat, in particular, also continues to be deprioritized. Only 23% of respondents to our survey ranked supply chain compromise among their top emerging threats, placing it behind AI misuse, misinformation, and phishing.

That gap suggests that many leaders are focusing on more visible risks rather than the silent, systemic vulnerabilities within their vendor networks.

This creates a dangerous mismatch between perception and reality. As we have ascertained, the reality is that most large-scale breaches today are not the result of direct attacks but of infiltration through trusted partners - where detection, accountability, and response are exponentially more complex.

Attackers are exploiting the “trust blind spot,” where organizations assume their suppliers maintain adequate defenses, only to find out too late that a single weak credential, outdated API or unsecured file transfer server has exposed sensitive systems.

This reveals that businesses are caught between awareness and action. They understand that supply chain risk exists, however, many are still treating it as a compliance checkbox rather than a board-level priority.

Until that mindset changes, the gap between cyber confidence and actual readiness will continue to widen. And attackers will continue to take full advantage.

Building resilience: Three steps UK firms should prioritize

The UK Government has already recognized the national-scale implications of supply chain risk, with MI5 and the National Cyber Security Centre (NCSC) making it a strategic focus.

But as the latest wave of attacks shows, many organizations remain underprepared. With this in mind, there are three priorities that can make a measurable difference to businesses and help with preparedness.

1. Embed security into partnership agreements Cybersecurity must be a contractual issue, not an afterthought. Clear expectations, accountability and defined responsibilities in supplier agreements help ensure partners maintain appropriate security controls throughout the relationship.
2. Implement ongoing vetting and audits Initial due diligence isn’t enough. Continuous monitoring, periodic audits and reassessment of third parties’ risk profiles are essential to ensure security practices don’t degrade over time.
3. Strengthen your own defenses first Before demanding higher standards from suppliers, organizations must ensure their own information security frameworks are robust. Regular internal audits, tabletop incident simulations and adherence to best-practice standards such as Cyber Essentials and ISO 27001 help ensure resilience at every layer.

Working with a qualified cybersecurity partner can also streamline this process and provide the independent assurance needed to identify hidden vulnerabilities.

The bottom line

The cyber incidents disrupting the UK’s most recognizable brands in 2025 highlight a truth that’s been years in the making - the supply chain is now the frontline of cybersecurity.

Businesses can no longer treat third-party risk as a secondary concern. With attacks accelerating and interdependencies multiplying, proactive, continuous management is the only viable defense.

We've featured the best endpoint protection software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

TOPICS AI Chris Netwon-SmithSocial Links Navigation

Chris Netwon-Smith is CEO of ISMS.online..

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Mitigating supply chain vulnerabilities    I am a former Pentagon cyber operator, and this is my advice to SMBs when it comes to cybersecurity    The resilient retailer’s guide to proactive cyber defense    The new age of layered security: from supply chains to endpoints    Five lessons learned from the M&S, Co-op, and Harrods security breaches    Protecting productivity: the imperative of cybersecurity in manufacturing    Latest in Pro Microsoft Teams guest access could let hackers bypass some critical security protections    Multiple London councils affected by apparent cyberattack    Zendesk users targeted by Scattered Lapsus$ Hunters hackers and fake support sites    Get business-grade cloud storage for just $1 per month this Black Friday    Malicious Blender model files deliver StealC infostealing malware    EU clamps down on online fraud and hidden fees affecting online payment platforms    Latest in Opinion Supply chain cyberattacks are becoming unmanageable - and UK businesses are paying the price    Amazon blocks ChatGPT shopping agent – what the fallout could mean for you    The war on trust: how AI is rewriting the rules of cyber resilience    Sam Altman wants his AI device to feel like 'sitting in the most beautiful cabin by a lake,' but it sounds more like endless surveillance    Please don't date your AI because it will never love you or pick up the check    ChatGPT’s new voice integration feels like the missing piece in AI chat    LATEST ARTICLES

1. 1NYT Strands hints and answers for Saturday, November 29 (game #636)
2. 2NYT Connections hints and answers for Saturday, November 29 (game #902)
3. 3Quordle hints and answers for Saturday, November 29 (game #1405)
4. 47 new movies and TV shows to watch on Netflix, HBO Max, Disney+ and more this weekend (November 28)
5. 5Solid-state battery packs are on the rise – and this early contender has two key benefits over its traditional rivals