Hidden Risks The The Global Supply Chain

Uploaded on 2025-03-24 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

The leading risk intelligence firm Bitsight has released its latest research report -  Under the Surface: Uncovering Cyber Risk in the Global Supply Chain.  The findings highlight how deeply interconnected businesses are, and how cyber risks in one part of the supply chain can have far-reaching effects.  

The report examines both global and UK-specific data, based on an analysis of 500,000 organisations, 40,000 products, and 12,000 providers, mapping over 61 million digital supply chain relationships

In particular, Bitsight found that UK supply chains are larger and more complex than the global average and the typical UK organisation uses 29.1 different providers and 81.6 different products; a 10% larger supply chain than the global average.  

Other key findings include: 

  • The larger and more complex a supply chain, the greater the attack surface, increasing opportunities for cybercriminals to infiltrate networks. 
  • Supply chain risks don’t just come from direct providers - they extend through multiple tiers, creating hidden vulnerabilities that businesses may not be aware of.  
  • Of particular concern is the the finding that the UK supply chain’s is highly reliant on Chinese companies which have links with the Chinese military with 30% of the UK supply chain relies on organisations designated by the US Department of Defense as “Chinese Military Companies.”  

The continued reliance on these providers underscores the challenge of securing the digital supply chain against foreign influence.

Even with increased scrutiny and regulatory efforts, Chinese state-linked firms maintain a significant foothold in UK industries, making it critical for organisations to assess their vendor relationships and mitigate potential risks.  

The UK’s most influential global providers aren’t just big-name technology firms - they include niche software vendors that quietly power essential industries. Bitsight research identifies “Hidden Pillars”, the lesser-known technology companies that serve large portions - or even the majority - of specific industries. A security failure at one of these companies could trigger cascading effects within and across industries.  

  • Customer count does not equal criticality, as some niche providers serve only a handful of companies yet support massive market share in industries like energy, finance, and logistics. 
  • Some of the most critical software and infrastructure providers operate with fewer than 50 employees, yet their technology is embedded in Fortune 500 companies and global enterprises. 

Bitsight assess that organisations that provide digital products and services often face far greater cybersecurity challenges than the businesses they serve. With larger attack surfaces, more complex vendor relationships, and increasing risk exposure, providers must take stronger measures to secure their own ecosystems. 

  • On average, providers use 2.5 times more products and have 10 times more internet-facing assets globally, making them more exposed to cyber threats. 
  • While providers outperform consumers in four of six security standards, including DMARC, SPF, DKIM, and DNSSEC, they lag behind in areas such as patch management, open ports, insecure systems, and botnet infections. 

Bitsight found that UK businesses exhibit better cybersecurity performance than their providers, however, there are always  going to be some providers that fail to achieve or maintain a good security posture. “Over the past year, we’ve seen several highly-visible security incidents that highlight how incidents in the digital supply chain can have a massive ripple effect across the global economy,” said Ben Edwards, Principal Research Scientist at Bitsight. 

“Even the most security-conscious companies are vulnerable to weaknesses in their supply chain. Organisations must continuously evaluate their third party vendors and suppliers and work proactively to close security gaps.” Edwards added.

Image: Ideogram

You Might Also Read:

Guidance Is Coming, But Hackers Aren’t Waiting:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Britain Plans To Use  AI To Run Public Services
Ukraine Railway Systems Attacked By Russian Hackers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Tufin

Tufin

Tufin enables organizations to automate their security policy visibility, risk management, provisioning and compliance across their multi-vendor, hybrid environment.

Advanced Software Products Group (ASPG)

Advanced Software Products Group (ASPG)

ASPG offers a wide range of innovative mainframe software solutions for Data Security, Access Management, System Management and CICS productivity.

Nok Nok Labs

Nok Nok Labs

Nok Nok is a market leader in next generation authentication for cloud, mobile and IoT applications.

Claranet

Claranet

Claranet are experts in modernising and running critical applications and infrastructure through end-to-end professional services, managed services and training.

Digital Innovation Hub Slovenia (DIH)

Digital Innovation Hub Slovenia (DIH)

DIH Slovenia is a central hub providing services to grow digital competencies in areas including robotics, IoT, cyberphysical systems and cybersecurity.

CERT-PH

CERT-PH

CERT-PH is the National Computer Emergency Response Team and the highest body for cybersecurity related activities in the Philippines.

Corelight

Corelight

Corelight is the most powerful network visibility solution for information security professionals.

Global Cyber Security Capacity Centre (GCSCC) - Oxford University

Global Cyber Security Capacity Centre (GCSCC) - Oxford University

GCSCC's work is focused on developing a framework for understanding what works, what doesn’t work and why – across all areas of cybersecurity capacity.

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute at Northern Michigan University offers non-degree and industry credentials relevant to emerging careers in cybersecurity.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

HB-Technologies

HB-Technologies

HB-Technologies is pioneer in Africa, in digital security, embedded electronic and IT solutions based on highly secure smart cards that comply with international standards and norms.

RedHunt Labs

RedHunt Labs

RedHunt Labs is a premier Cybersecurity Solutions provider, offering Attack Surface Management solution 'NVADR' and Penetration Testing services.

Torch.AI

Torch.AI

Torch.AI’s Nexus™ platform changes the paradigm of data and digital workflows, forever solving core impediments caused by the ever-increasing volume and complexity of information.

CyberloQ Technologies

CyberloQ Technologies

CyberloQ Secure is a cybersecurity solution that enables clients to implement highly robust Multi-Factor Authentication (MFA) that includes client-defined location-based geofencing constraints.

Arsen Cybersecurity

Arsen Cybersecurity

Arsen is a French cybersecurity startup, dedicated to enhancing human behaviors in cybersecurity.

nodeQ

nodeQ

At nodeQ, we are pioneering the future of computer networks, leveraging our deep expertise in quantum communication, artificial intelligence, and software-defined networking.