Supply chain cyberattacks are becoming unmanageable - and UK businesses are paying the price

2025 has already seen one household name after another make cybersecurity headlines.

From M&S to the Co-op and Harrods, this year has underscored how deeply connected, and how exposed, UK organizations have become.

For example, when Jaguar Land Rover’s production line ground to a halt at the end of August, the cause wasn’t a parts shortage or logistics bottleneck - it was a cyber breach.

Just weeks later, airports across Europe faced widespread disruption after attackers compromised Collins Aerospace’s MUSE software which is a critical platform that allows airlines to share check-in desks and boarding gates.

This proves that the threat is real, growing and already hitting home - businesses that fail to act now risk being the next to fall.

The warning signs were there all along

Back in 2021, Gartner warned that by 2025, nearly half (45%) of organizations would suffer a software supply chain attack. The latest numbers suggest that prediction was, if anything, conservative. According to IO’s 2025 State of Information Security Report, 61% of businesses experienced a supply chain breach in the past 12 months.

Nearly one-third of those incidents resulted in operational disruption or financial loss. And six in ten security leaders now describe the risks from third parties and supply chain partners as “innumerable and unmanageable.”

Why attackers exploit the smallest suppliers

Modern organizations rely on a complex mesh of connected systems, cloud platforms and third-party providers. Sensitive data now flows continuously between external partners - from marketing agencies and logistics firms to data processors and SaaS vendors. Each link in that chain is a potential entry point.

As a result, threat actors have learnt that smaller vendors can be the weakest link. The cyberattack on retailer Mango in October illustrates this well. Attackers stole customer data not from Mango itself, but from one of its external marketing suppliers.

This “island hopping” approach is now standard practice among cybercriminals. Smaller partners often lack the resources or expertise to defend themselves - making them a convenient way into larger, better-protected networks. And limited budgets, small security teams and fewer formal risk processes, make containment much harder.

Overconfidence is the biggest threat of all

While attackers are evolving, many organizations still underestimate just how vulnerable they’ve become. Many cybersecurity leaders express confidence in their breach response capabilities.

This confidence often stems from past investment in security infrastructure and the existence of formal response plans.

But confidence doesn’t always equal capability. In practice, many organizations still struggle with visibility across sprawling vendor ecosystems, fragmented data flows and legacy systems that can’t adapt fast enough to modern threats.

The supply chain threat, in particular, also continues to be deprioritized. Only 23% of respondents to our survey ranked supply chain compromise among their top emerging threats, placing it behind AI misuse, misinformation, and phishing.

That gap suggests that many leaders are focusing on more visible risks rather than the silent, systemic vulnerabilities within their vendor networks.

This creates a dangerous mismatch between perception and reality. As we have ascertained, the reality is that most large-scale breaches today are not the result of direct attacks but of infiltration through trusted partners - where detection, accountability, and response are exponentially more complex.

Attackers are exploiting the “trust blind spot,” where organizations assume their suppliers maintain adequate defenses, only to find out too late that a single weak credential, outdated API or unsecured file transfer server has exposed sensitive systems.

This reveals that businesses are caught between awareness and action. They understand that supply chain risk exists, however, many are still treating it as a compliance checkbox rather than a board-level priority.

Until that mindset changes, the gap between cyber confidence and actual readiness will continue to widen. And attackers will continue to take full advantage.

Building resilience: Three steps UK firms should prioritize

The UK Government has already recognized the national-scale implications of supply chain risk, with MI5 and the National Cyber Security Centre (NCSC) making it a strategic focus.

But as the latest wave of attacks shows, many organizations remain underprepared. With this in mind, there are three priorities that can make a measurable difference to businesses and help with preparedness.

1. Embed security into partnership agreements Cybersecurity must be a contractual issue, not an afterthought. Clear expectations, accountability and defined responsibilities in supplier agreements help ensure partners maintain appropriate security controls throughout the relationship.
2. Implement ongoing vetting and audits Initial due diligence isn’t enough. Continuous monitoring, periodic audits and reassessment of third parties’ risk profiles are essential to ensure security practices don’t degrade over time.
3. Strengthen your own defenses first Before demanding higher standards from suppliers, organizations must ensure their own information security frameworks are robust. Regular internal audits, tabletop incident simulations and adherence to best-practice standards such as Cyber Essentials and ISO 27001 help ensure resilience at every layer.

Working with a qualified cybersecurity partner can also streamline this process and provide the independent assurance needed to identify hidden vulnerabilities.

The bottom line

The cyber incidents disrupting the UK’s most recognizable brands in 2025 highlight a truth that’s been years in the making - the supply chain is now the frontline of cybersecurity.

Businesses can no longer treat third-party risk as a secondary concern. With attacks accelerating and interdependencies multiplying, proactive, continuous management is the only viable defense.

We've featured the best endpoint protection software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro