Guidance Is Coming, But Hackers Aren’t Waiting

Supply chains have become the soft underbelly of cybersecurity, with recent high-profile breaches demonstrating how attackers can exploit third-party vulnerabilities to infiltrate organisations. In 2022, the UK’s National Cyber Security Centre (NCSC) issued supply chain security guidance, aimed at helping organisations assess and secure their supplier networks. Still, supply chain attacks continue. 

More recently, further guidance is emerging, including the Cyber Assessment Framework (CAF) and the upcoming Cyber Security and Resilience Bill, action remains slow, and supply chain hacks continue to occur.

The UK government’s 2025 guidance on securing government supply chains highlights the need for stronger risk management, but in the interim, hackers are exploiting supply chain vulnerabilities in greater numbers than ever before. Which raises the question: is it time for businesses to push for stronger, industry-wide measures?

Why Supply Chains Are Increasingly Vulnerable

The risk associated with supply chains is escalating due to several factors:

Expanding digital ecosystems: Relying on a tapestry of third-party suppliers for cloud services, IT management, and operational support is the norma for many businesses now. However, each supplier presents a potential entry point for cyber threats.

More AI, more cyber threats:  AI is being weaponised by attackers to automate attacks, identify vulnerabilities at scale, and create highly convincing phishing campaigns. This exacerbates the challenge of securing supply chains, as AI-powered threats can adapt quickly. Similarly, if you’re adopting AI technologies and not applying rigorous due diligence to them, they come with significant risk. Don’t choose innovation over security. They need to go hand in hand.

Inadequate risk assessment:  Despite the increasing number of attacks, data from the NCSC suggests that only 13% of UK businesses regularly review the risks posed by their immediate suppliers, and just 7% assess their wider supply chain.

State-sponsored cyber espionage: Nation-state actors, such as China’s Silk Typhoon, are shifting tactics to target remote management tools and cloud services, which are often shared across multiple organisations.

Regulatory pressure and compliance challenges: As cyber threats increase, regulatory frameworks such as GDPR, NIS2, and DORA (for financial services) require stricter due diligence on suppliers, adding complexity to compliance efforts. Cybersecurity professionals are juggling a lot of different frameworks and priorities, with many indicating that they feel burnt out as reported by insights provider, Gartner.

Recent Attacks Highlighting Supply Chain Risks

Microsoft’s latest report on Silk Typhoon reveals a troubling evolution in supply chain cyber threats. The state-sponsored group has shifted its approach to target IT service providers, identity management solutions, and remote monitoring software. By exploiting unpatched applications and using stolen credentials, they can gain access to downstream customer networks and bypass traditional perimeter security measures.

Just one of many examples, the takeaway is clear: indirect access points through suppliers are an increasingly attractive vector for cybercriminals and it needs a solution.

Supply Chain Risk Regulation - What’s Happening Globally?

The European Union’s NIS2 Directive tightens security requirements for critical infrastructure providers, demanding stricter supplier risk assessments and real-time threat reporting. The United States’ Executive Order on Improving the Nation’s Cybersecurity mandates software bill of materials (SBOM) transparency for federal contractors to mitigate risks from vulnerable software components. Meanwhile, Asia-Pacific nations, including Australia and Japan, are implementing stricter cybersecurity supply chain frameworks, recognising the economic and national security implications of these attacks. 

Despite these measures, enforcement and compliance remain a challenge, with organisations needing to integrate global standards into their security strategies and juggle the evolving need and threats.

AI & The Future Of Supply Chain Cyber Threats

AI is a double-edged sword in cybersecurity with some heralding it as a future strength in threat detection, whereas others see it as potentially its greatest weakness. While organisations use AI-driven tools to detect anomalies and automate threat response, adversaries leverage AI for advanced cyberattacks. We’re seeing worrying trends:

  • AI-powered phishing campaigns can generate hyper-personalised attacks that bypass traditional detection mechanisms.
  • Machine learning models can be manipulated through adversarial attacks, potentially corrupting data integrity in AI-driven supply chain management systems.
  • Automated vulnerability discovery enables attackers to identify security gaps in supplier software much faster than traditional methods.

This means organisations must integrate AI-driven defence mechanisms, such as behaviour-based threat detection and automated patching, into their supply chain risk management strategies.

Best Practices For Securing Supply Chains

To strengthen resilience against supply chain cyber threats, taking a multi-layered approach is best, such as:

Zero Trust architecture: Adopt a Zero Trust model where no entity, internal or external, is automatically trusted. This includes enforcing least privilege access for suppliers.

Continuous third-party monitoring: Deploy continuous security monitoring solutions to detect anomalous behaviour in supplier networks.

Secure API and data access: Restrict supplier access to only the necessary systems and data and enforce API security measures.

Threat intelligence sharing: Collaborate with industry groups and government agencies to stay ahead of emerging threats.

Regular cybersecurity audits: Conduct independent audits of supplier security measures and ensure compliance with international cybersecurity standards.

Supply chain cyber risks are advancing. With the addition of AI, something that was once cutting-edge is now commonplace and opening the door to further risk. 

CAF, the Cyber Security and Resilience Bill and the supply chain guidance for public sector procurement represent a reassuring future-state when all are in play together. However, until that is in place, organisations must take charge of their own supply chain security, because waiting for the perfect alignment of guidance could mean waiting for a breach. 

Ed Bartlett is CEO at Hicomply

Image: 

You Mght Also Read:

Strengthening Britain's Cyber Defences:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« From Static Defenses To Dynamic Systems
Amazon Launches A Quantum Semiconductor Chip »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Landry & Associates

Landry & Associates

Landry & Associates is a multidisciplinary firm specializing in risk management, performance and technology management.

CQS (Certified Quality Systems)

CQS (Certified Quality Systems)

CQS is an organisation specialising in ISO assessment and certification, including ISO 27001, along with other management system standards.

Professional Information Security Association (PISA)

Professional Information Security Association (PISA)

PISA is an independent and not-for-profit organization for information security professionals, with the primary objective of promoting information security awareness and best practice.

Norton

Norton

NortonLifeLock is dedicated to helping secure the devices, identities, online privacy, and home and family needs of approximately 50 million consumers.

Industrial Networking Solutions (INS)

Industrial Networking Solutions (INS)

INS Services specializes in designing, deploying and providing on-going support for critical OT (Operational Technology) and IIoT (Industrial Internet of Things) networks.

WebSec B.V.

WebSec B.V.

WebSec is a Dutch Cybersecurity firm mainly focused on offensive security services such as pentesting, red teaming and security awareness and phishing campaigns.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

Comparitech

Comparitech

Comparitech strives to promote cyber security and privacy for all. We are committed to providing detailed information to help our readers become more cyber secure and cyber aware.

iSTORM

iSTORM

iStorm specialise in supporting organisations who require a range of Privacy, Security and Penetration testing related services.

Accops Systems

Accops Systems

Accops enables secure and instant remote access to business applications from any device and network, ensuring compliant enterprise mobility.

Josef Ressel Centre for Intelligent & Secure Industrial Automation

Josef Ressel Centre for Intelligent & Secure Industrial Automation

The Josef Ressel Centre for Intelligent and Secure Industrial Automation investigates the fundamentals of digital assistants for industrial machines that enable intelligent and secure operation.

Data Computer Services

Data Computer Services

Data Computer Services provides professional tailored IT Support and IT Services for businesses throughout Edinburgh and the Lothians.

Espria

Espria

Espria is a leading independent managed service provider with expertise in Cloud, IT, Communications and Document Solutions.

Anzen Technology Systems

Anzen Technology Systems

Anzen create software solutions which allows organisations to utilize the public cloud for sensitive or classified information, whilst increasing data security and retaining data sovereignty.

DataProof Communications

DataProof Communications

DataProof Communications is Cybersecurity Company specialising in cybersecurity operations, incident management and response best practices and technologies.

A&O Shearman

A&O Shearman

A&O Shearman is a law firm at the forefront of the forces changing the current of global business: energy transition, life sciences, technology, private capital, finance and beyond.