Manging the hidden cyber security risks within your supply chain

Cyber-attacks pose significant risks to organisations, particularly within their supply chains. What are the key issues and trends boards need to consider when trying to understand and mitigate these risks? Board members don’t need to be technical experts but do need to know enough to ensure that cyber security throughout the supply chain is sufficient and appropriately implemented.

What are the current trends in cyber-attacks?

The Information Commissioner’s Office (ICO), the regulator for data protection in the UK, published a report titled “learning from the mistakes of others” in 2024, collating statistics from real data breach reports made to the ICO, highlighting the most common information security issues and how to avoid them.

The ICO received over 3,000 cyber breach reports in 2023, with a notable increase in cyber-related breaches from 25.9% to 32.5% year-on-year. This year-on-year increase is quite telling, and those numbers can be expected to continue to rise as cyber-attacks become more varied and sophisticated. This is particularly relevant to supply chains, where the ICO recently stated that supply chain cyber-attacks have grown by over 300% since the COVID pandemic. There is clearly a heavy emphasis across many sectors on procuring third party support with processing and handling data on behalf of other organisations.

This is made more pertinent by the ever-evolving structure of supply chains. It is not uncommon for organisations to have multiple suppliers carrying out various types of services on their behalf, including processing highly sensitive or important personal data, commercial and financial information. The more suppliers an organisation has, the higher the risk of a supply chain cyber-attack occurring.

What is a supply chain attack?

A supply chain attack occurs when the goods or services provided by a supplier, or the technologies they rely on to provide the goods or services, are breached and/or compromised. This breach can infiltrate other parts of the supply chain and potentially the main controller organisation itself. It focuses on important aspects of the products and services an organisation relies on – hampering software, communication and hardware in the process. Supply chain cyber attackers focus on weak or vulnerable code, poor infrastructure, and weak network security to exploit the supply chain and cause considerable damage.

How can boards mitigate and avoid the risks of supply chain cyber-attacks?

• Implement a robust supply chain risk management program to monitor, manage, and review systems, processes, and methods of access continuously.

• Understand who information is being shared with, what organisational systems the supplier has access to, the processing activities and who is performing them, and whether any suppliers are using subcontractors to provide the services or products. Ensure that these sub-contractors also have appropriately secure systems and processes.

• Conduct thorough due diligence on suppliers to understand their cyber security acumen before they enter the supply chain. This can avoid any glaring gaps in security compliance affecting your supply chain. If an organisation is still keen to work with a specific supplier, it gives the supplier an opportunity to improve their security posture before providing the services.

• Regularly test supplier systems and those created for the organisation by the supplier.

• Review all contractual relationships with suppliers to understand roles and responsibilities. This will help in managing and identifying the location of any potential cyber-attacks.

• Ensure service level agreements and security arrangements are in place.

• Where suppliers are processing personal data, it is also imperative to ensure they include data processing terms as set out in the UK GDPR to govern the processing.

• Supply chain attacks rely on trust. Foster a clear rapport with, and understanding of, third parties that become part of supply chains. This will help all parties to identify unusual activity or dangerous actions with speed, and act swiftly to address it.

What future developments should boards be aware of?

Recent research by Gartner indicates that attackers are targeting open-source artefacts and software systems to initiate software supply chain attacks. Gartner predicts that, “...by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021”. This puts software attacks at the forefront of the risks involved with managing supply chain cyber security.

Having strong, up-to-date and industry-leading development and operations security controls is key. This will help ensure systems are alert to the latest software threats and provides the best opportunity to protect the whole supply chain from a software attack or malicious code.

Co-authors:  Ellie Hughes, Senior Associate and Junior Mbulu, Associate in our Tech, IP and Data team.
 

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2025. Specific advice should be sought for specific cases. For more information see our terms & conditions.