Hidden Risks In The The Global Supply Chain

The leading risk intelligence firm Bitsight has released its latest research report -  Under the Surface: Uncovering Cyber Risk in the Global Supply Chain.  The findings highlight how deeply interconnected businesses are, and how cyber risks in one part of the supply chain can have far-reaching effects.  

The report examines both global and UK-specific data, based on an analysis of 500,000 organisations, 40,000 products, and 12,000 providers, mapping over 61 million digital supply chain relationships

In particular, Bitsight found that UK supply chains are larger and more complex than the global average and the typical UK organisation uses 29.1 different providers and 81.6 different products; a 10% larger supply chain than the global average.  

Other key findings include: 

  • The larger and more complex a supply chain, the greater the attack surface, increasing opportunities for cybercriminals to infiltrate networks. 
  • Supply chain risks don’t just come from direct providers - they extend through multiple tiers, creating hidden vulnerabilities that businesses may not be aware of.  
  • Of particular concern is the the finding that the UK supply chain’s is highly reliant on Chinese companies which have links with the Chinese military with 30% of the UK supply chain relies on organisations designated by the US Department of Defense as “Chinese Military Companies.”  

The continued reliance on these providers underscores the challenge of securing the digital supply chain against foreign influence.

Even with increased scrutiny and regulatory efforts, Chinese state-linked firms maintain a significant foothold in UK industries, making it critical for organisations to assess their vendor relationships and mitigate potential risks.  

The UK’s most influential global providers aren’t just big-name technology firms - they include niche software vendors that quietly power essential industries. Bitsight research identifies “Hidden Pillars”, the lesser-known technology companies that serve large portions - or even the majority - of specific industries. A security failure at one of these companies could trigger cascading effects within and across industries.  

  • Customer count does not equal criticality, as some niche providers serve only a handful of companies yet support massive market share in industries like energy, finance, and logistics. 
  • Some of the most critical software and infrastructure providers operate with fewer than 50 employees, yet their technology is embedded in Fortune 500 companies and global enterprises. 

Bitsight assess that organisations that provide digital products and services often face far greater cybersecurity challenges than the businesses they serve. With larger attack surfaces, more complex vendor relationships, and increasing risk exposure, providers must take stronger measures to secure their own ecosystems. 

  • On average, providers use 2.5 times more products and have 10 times more internet-facing assets globally, making them more exposed to cyber threats. 
  • While providers outperform consumers in four of six security standards, including DMARC, SPF, DKIM, and DNSSEC, they lag behind in areas such as patch management, open ports, insecure systems, and botnet infections. 

Bitsight found that UK businesses exhibit better cybersecurity performance than their providers, however, there are always  going to be some providers that fail to achieve or maintain a good security posture. “Over the past year, we’ve seen several highly-visible security incidents that highlight how incidents in the digital supply chain can have a massive ripple effect across the global economy,” said Ben Edwards, Principal Research Scientist at Bitsight. 

“Even the most security-conscious companies are vulnerable to weaknesses in their supply chain. Organisations must continuously evaluate their third party vendors and suppliers and work proactively to close security gaps.” Edwards added.

Image: Ideogram

You Might Also Read:

Guidance Is Coming, But Hackers Aren’t Waiting:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Britain Plans To Use  AI To Run Public Services
Ukraine Railway Systems Attacked By Russian Hackers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

TitanFile

TitanFile

TitanFile is an award-winning, easy and secure way for professionals to communicate without having to worry about security and privacy.

Mocana

Mocana

Mocana provides a software platform that allows you to develop, test and distribute more secure IoT devices and services.

Pradeo

Pradeo

Pradeo Security offers a complete, automatic and seamless protection to mobile devices and applications, aligned with your organization security policy while preserving business agility.

Logsign

Logsign

Logsign is a Security Orchestration, Automation and Response (SOAR) platform with next-gen Security Information and Event Management (SIEM) solution.

Evidence Talks (ETL)

Evidence Talks (ETL)

A leading forensic computing authority developing unique digital forensic technologies. Tools that detect potential terrorists & criminals & used by the military, enforcement & intelligence commmunity

AXA XL

AXA XL

AXA XL is the P&C and Specialty Risk Division of AXA. Professional insurance products include Cyber Insurance.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

Veriff

Veriff

Veriff provides highly-automated identity-verification services that prevent fraud like nothing else on the market.

ACROS Security

ACROS Security

ACROS Security is a leading provider of security research, real penetration testing and code review for customers with the highest security requirements.

InfoExpress

InfoExpress

InfoExpress provides network security solutions that enhance productivity and security through better visibility, improved security, and automating device and mobile access to the network.

Difenda

Difenda

Difenda Shield is a fully integrated and modular cybersecurity suite that gives your organization the agility it needs to implement a world-class cybersecurity system.

SafePaas

SafePaas

SafePaas is a leading Enterprise Risk Management Platform. One source of truth for all your Audit, Risk, and Compliance requirements. Complete governance across your systems.

Gen Digital

Gen Digital

At Gen™, our mission is to create technology solutions for people to take full advantage of the digital world, safely, privately, and confidently – so together, we can build a better tomorrow.

Protecto

Protecto

Make privacy and governance effortless. Brakes allow you to drive faster. Stronger data privacy and security enable companies to unlock the full potential of the data.

Amtivo Ireland

Amtivo Ireland

Amtivo Ireland (formerly Certification Europe and EQA) offers a range of certifications and related services.

ArmorX AI

ArmorX AI

ArmorX AI (formerly Kapalya) operates an encryption management platform designed to encrypt all data in transit and at rest on mobile end-points, corporate servers, and cloud servers.