Hackers are increasingly bypassing the digital front door and working their way in through suppliers, service providers and software dependencies that organisations already trust. That shift is forcing businesses to rethink a cyber security model that still too often focuses on perimeter defences, internal training and access controls, rather than the wider web of third parties that can reach core systems and data.
The pattern is becoming clearer. Rather than breaking directly ...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
A notable example came in 2024, when a malicious backdoor was inserted into XZ Utils, a widely used compression tool embedded in many Linux systems. The issue was uncovered before it had been broadly deployed in production, but it had already reached development builds used by major distributions. Computer scientist Alex Stamos warned at the time that, had it gone unnoticed, the flaw would have handed attackers extraordinary reach across millions of machines. The discovery was made only because a developer noticed suspicious performance behaviour during routine testing.
That episode underlined a broader problem: digital supply chain attacks are often invisible until the damage is done. In many cases, the compromised supplier, library or service is trusted precisely because it is widely used. That trust can become the attacker’s advantage. A malicious update, stolen credentials or insecure integration can open the door not just to one business, but to every customer depending on the same technology.
Recent incidents suggest the threat is also becoming more industrialised. ITPro reported in March 2026 that two ransomware groups, Vect and TeamPCP, had begun collaborating in a move experts described as unprecedented. Sophos said the alliance combined one group’s ransomware deployment machinery with the other’s strengths in credential theft and data exfiltration, creating what amounts to a more efficient pipeline from supply chain compromise to extortion. The same report said development environments and open-source tools are now high-value targets, particularly as criminal groups look to scale operations.
The scale of the exposure is large. Bitsight’s recent research, cited by Cyber Magazine, tracked more than 61 million digital supply chain relationships across tens of thousands of products, hundreds of thousands of organisations and thousands of service providers, illustrating how much hidden risk can sit beyond a company’s immediate line of sight. The World Economic Forum has also identified supply chain interdependencies as a top ecosystem cyber risk, saying they are the main barrier to cyber resilience for a large proportion of major organisations.
For businesses, the consequences go far beyond technical recovery. The immediate hit is often financial, with ransom demands, incident response costs, legal advice and system restoration adding up quickly. For digital-first companies, even short periods of downtime can mean direct revenue loss. Co-op said a cyberattack in 2025 affected both its financial and operational performance, with losses reported at £206m. Marks & Spencer, meanwhile, was forced to suspend online orders for almost two months after an attack that exploited weaknesses in MoveIt, a widely used enterprise file transfer tool. Sensitive employee and customer information was compromised, and the company later estimated the hit to profits at £300m.
Operationally, the impact can be just as severe. If a supplier must be taken offline to contain an incident, the organisations that depend on it may be left unable to process orders, access systems or serve customers. Manual workarounds can keep some operations going, but rarely at full speed or without cost. The reputational damage may last longest of all. Customers tend not to distinguish between a company and its suppliers when service breaks down; they simply see failure. Rebuilding trust can take years.
Regulators are now treating these incidents less as isolated technology failures and more as governance failures. Under UK GDPR, organisations remain responsible for personal data even when processing is outsourced to third parties. That means data controllers must ensure processors have appropriate technical and organisational safeguards in place, and that breaches are reported without undue delay. Similar thinking is emerging around artificial intelligence in the EU, where organisations using third-party AI systems are expected to understand how those tools work, how they are secured and what risks they introduce.
The message from regulators is increasingly blunt: trust is not a control. Businesses are expected to know where their digital dependencies lie, assess the risks they create and prove they have the right oversight in place. That means supplier due diligence, continuous monitoring, contract reviews, testing, incident response planning and clear rules on notification, liability and audit rights.
Risk cannot be eliminated entirely, especially when every supplier depends on other suppliers in turn. But it can be reduced. Organisations that want to stay ahead are being urged to demand stronger security standards, review third-party access, test systems built by others, educate staff on supply chain risks and ensure that cyber insurance is part of the wider resilience plan.
The central lesson is that cyber security is no longer just an IT issue. It is a business risk, a legal risk and, increasingly, a supply chain risk. Organisations that treat it as such are likely to be much better placed to absorb the next attack, instead of discovering their weakest link only after it has already been exploited.
Source: Noah Wire Services
