Businesses are on the front line of digital defence, writes Sam Peters, Chief Product Officer at the asset and risk management compliance platform, IO.
Several major UK companies have made headlines after falling victim to supply chain attacks in 2025. Marks & Spencer estimated that the cyberattack it faced in April 2025 will cost the company £300m in lost profits, with hackers having reportedly gained access to the company’s systems via a third-party contractor’s service desk. Harrods, meanwhile, saw 430,000 customer records exposed in September after they were stolen from a third-party provider.
These are not isolated incidents, but a clear pattern of intent from threat actors that sees suppliers and contractors targeted, exploited and used as a gateway to inflict damage on larger targets.
Impacted
According to IO’s State of Information Security 2025 report, more than six in ten organisations have been impacted by a cybersecurity or information security incident caused by a third-party vendor or supply chain partner.
Critically, it’s not just commercial enterprises at risk. So too are government organisations and critical national infrastructure (CNI).
In June, University College London Hospitals (pictured) and University Hospital Southampton NHS Foundation Trust were breached after cybercriminals exploited a vulnerability in Ivanti Endpoint Manager Mobile – a third-party mobile device management tool. Equally, in 2024, Synnovis – one of the NHS’s key pathology testing partners – suffered a major attack that impacted thousands of NHS outpatient appointments and left 300 million patient records compromised.
The UK Ministry of Defence (MoD) was also hit by a supply chain attack last year, with the payroll data of approximately 270,000 members of Britain’s armed forces having been exposed to Chinese hackers following a breach involving a third-party contractor.
Worried about state-sponsored cyber-attacks
Clearly, so-called state actors and organised cybercriminals are actively testing weaknesses in business systems that are often less protected but just as strategically valuable in inflicting damage on major organisations and CNI. And they are succeeding in doing so.
In the 12 months to August 2025, the National Cyber Security Centre (NCSC) reported that it dealt with 204 ‘nationally significant’ cyber-attacks against the UK– a sharp rise from 89 in the previous year. Further, it also said that a substantial proportion of those incidents it does handle are related to either nation-state actors or highly capable criminal groups.
The government itself is taking action in response to the growing threat. The MoD, for example, recently established a new Cyber and Electromagnetic Command (CEC) that will be tasked with better defending UK military networks from rising cyber attacks and coordinating offensive cyber operations.
Bolstering national defences in this manner is critical. Yet, it also serves as a stark warning to organisations: if you’re servicing critical infrastructure, or simply handling sensitive data, you could be caught in the crossfire of larger campaigns executed by state-sponsored actors.
Given the growth of supply chain threats, it is vital that all organisations treat resilience as a strategic priority. And, fortunately, it appears that many are doing so. IO’s State of Information Security report shows that 88% of organisations are concerned about state-sponsored attacks, with 74 per cent of firms already building resilience against geopolitical or nation-state-linked cyber threats, and another 21 per cent planning to do so in the next 12 months.
The intent is there. The key question now for many firms is how they can make the most effective use of their time, resources and investments when it comes to building resilience.
Compliance with key UK regulations is always a good starting point. However, it can only take you so far. As compliance experts, we’ve seen many instances where organisations unknowingly overlook security best practices such as systems patching and regular risk assessments.
Generally, the organisations that are most effective in combating modern threats are those that embed cyber risk management into their everyday operations, continuously monitoring threats and actively building a security-aware culture.
ISO 27001 can provide a framework
Creating an environment in which security is a core business priority begins with a review of the company’s unique risk register. What are the risks associated with suppliers? Can teams respond at speed in the face of disruption? And are they actually prepared to combat advanced, persistent threats?
To answer some of these key questions, I would recommend aligning with internationally recognised frameworks such as ISO 27001. Specifically, this provides a blueprint for best practices that firms can apply to their own unique context, risks and circumstances, rather than having to try to build their own strategy from scratch.
ISO 27001 offers a methodology for establishing, implementing and maintaining a documented, repeatable process for identifying, analysing, and evaluating information security risks. It also promotes risk prioritisation, outlining how firms can allocate resources in the most appropriate way.
Critically, the scope of the standard also covers supply chain risks, focusing on key aspects such as due diligence, agreements, monitoring and policies. Further, it describes how organisations can and should prepare for information security incidents, highlighting the importance of standardised reporting, effective response processes, and continuous improvement.
Embracing best practices can be the difference
In today’s interconnected business landscape, no organisation is safe. Threat actors are actively targeting businesses of all shapes and sizes, either going after an organisation directly, or using them as a launch pad to inflict damage on larger targets. In this reality, aligning with internationally recognised standards and embracing best practices can be the difference between responding to attacks effectively and becoming part of their collateral damage.
As with anything, the key to success lies in proper preparation. By leveraging proven frameworks and embracing collaboration, organisations across the UK – both large and small – can secure supply chains more effectively and make resilience the bedrock of successful business partnerships.
