Peter Connolly, CEO of the consultancy Toro Solutions, says that most organisations are investing heavily to protect systems that are no longer the ones most likely to get them breached. The greatest cyber risk does not sit inside the enterprise perimeter; it sits in the suppliers, software platforms, data brokers, and digital partners that organisations depend on but do not control.
Businesses operate inside vast, interconnected ecosystems, and their security is only as strong as the weakest link in those networks. In my own experience, some of the most damaging incidents we have dealt with never breached the victim’s internal systems directly, they came through partners everyone assumed were “low risk.”
The Jaguar Land Rover cyberattack in 2025 exposed how disruptive a major cyber incident can be. The breach forced JLR to shut down its global IT environment and halt manufacturing and retail operations. The incident demonstrated how a single successful intrusion can cascade across an entire organisation, creating significant operational, financial, and reputational damage.
This challenge intensifies as digital ecosystems evolve faster than most organisations can adapt. Technologies such as cloud services, API integrations, and real-time data sharing increase efficiency within an organisation but they also significantly increase exposure. Many security programmes still focus on protecting the perimeter, even though the most important connections now sit beyond it.
In 2025, a widely used SaaS integration with Salesforce’s chatbot tool was compromised. Attackers used stolen authentication tokens to access data across hundreds of organisations’ CRM and cloud environments, including major tech firms, without breaching their direct defences. This incident demonstrates how a minor integration can lead to widespread exposure. Understanding how wide the attack surface area can be, is the starting point for building meaningful resilience.
Growing cyber divide
Global frameworks such as the World Economic Forum’s Four Futures framework have highlighted how systemic cyber risk is creating a widening divide between organisations that can afford strong security and those that cannot. But in a connected economy, this divide puts everyone at risk. Large enterprises do not gain safety from smaller partners – they inherit their vulnerabilities. I have seen major organisations brought into crisis by suppliers with a fraction of their budget and security maturity.
Cyber risk has become a shared condition of participation in the digital economy. Smaller firms often lack the resources, skills, and tools to defend themselves against advanced threats, making them attractive targets and, unintentionally, gateways into larger networks. Conversely, large suppliers can struggle to maintain consistent security when managing a global workforce and can be attractive targets for criminals because of their access into high value customers. When these weak links are compromised, the impact does not stay local. It spreads across supply chains, industries, and borders.
For boards and executives, this fundamentally changes what enterprise risk management means. Protecting the organisation can no longer be separated from protecting the ecosystem it depends on.
Why going it alone no longer works
Traditional cyber security models are now dangerously misaligned with how attacks actually work. Compliance-driven audits, internal controls, and perimeter defences were built for a world where threats targeted organisations directly. Today’s attackers exploit trust between partners, platforms, and connected systems. In practice, this means attackers are often inside your business long before your own security team ever sees them.
Resilience now depends on how well organisations defend those shared spaces. In practice, this means shared threat intelligence, aligned supplier standards, coordinated incident response, and contractual expectations that security is part of doing business just like financial controls or safety requirements.
Attackers have already reorganised themselves around ecosystems. It is only defenders who are still thinking in silos. Organisations that continue to invest in isolation are creating blind spots that adversaries are increasingly skilled at exploiting.
What boards should be tracking instead
As collective defence matures, the health of the ecosystem itself becomes a strategic measure of success. Investment in partner resilience strengthens the infrastructure that supports growth, continuity, and trust. Over time, cyber security starts to influence customer confidence, regulatory trust, and operational continuity, rather than sitting purely as a cost centre. If boards do not measure partner cyber health, they are implicitly choosing not to manage their biggest attack surface.
This requires moving beyond static compliance metrics. More meaningful indicators include how quickly partners coordinate during incidents, how actively they share threat intelligence, and whether suppliers are improving their own security over time. Organisations that look outward, rather than benchmarking themselves in isolation, tend to surface risk earlier and recover more effectively when incidents occur.
Trust in a hyper-connected world
This perspective aligns with the World Economic Forum’s vision of a digital order in which interdependence is treated as a strength rather than a liability. Leaders who adopt it move beyond reactive incident management toward proactive, systemic collaboration. Security becomes embedded in digital commerce and innovation, supporting transformation rather than constraining it. When cyber security is linked to broader strategic goals, risk management evolves into a stabilising force for growth and global trade.
However, this model only works if it is inclusive. Resilience cannot be limited to the largest organisations while smaller partners remain exposed. Strengthening the digital economy requires cross-sector cooperation, regulatory alignment, and sustained investment in shared capabilities. Leaders who take this approach reduce the likelihood that innovation outpaces their ability to manage risk. Without this, risk simply migrates to the least prepared parts of the network.
Resilience starts at the top
Responsibility ultimately sits with leadership. Boards and CEOs influence not just internal controls, but how organisations select partners, share information, and respond under pressure. Success can no longer be judged solely on internal resilience metrics. It also depends on the strength of the networks an organisation relies on to operate.
By 2026, very few organisations will function in isolation. Digital supply chains mean that weaknesses in one place can quickly affect many others. Taking a collective approach to security helps limit the spread of incidents and reduces disruption across customers, partners, and essential services. In practice, working together on security is less about abstract trust and more about dealing with shared, unavoidable risk.
