Recent Breaches: A Wake-Up Call
The recent increase in incidents over the last couple of weeks has underlined the importance of the digital supply chain and that it is now as critical as the physical one. We've seen a wave of disruptions that rippled through business operations, impacted public trust, and exposed just how interdependent our systems really are.
- First came the European power outages, which, while not confirmed as cyberattacks, served as a stark reminder of how quickly infrastructure failures can cascade through digital and physical supply chains alike. I made a commentary about this in The Telegraph and even discussed in live television at CNN!
- Then came the M&S (Marks & Spencer) breach, believed to stem from a third-party payroll provider. What started as a vendor compromise quickly became a national headline. I’ve shared some thoughts with Intelligence CISO here.
- Peter Green Chilled, a logistics supplier for major UK retailers like Tesco, Sainsbury's, and Aldi, was hit by a ransomware attack that disrupted the physical delivery of perishable goods. The Independent asked me about this here.
- In the same period, Co-op, Dior, and most recently Adidas had their own cybersecurity incidents which impacted business operations, customer data and supply of goods to shops and online.
These incidents aren’t isolated. They’re symptoms of a much broader issue: organisations often lack visibility into the interconnected systems and third parties that power their operations. Risk doesn't stop at your firewall. It travels through your domains, APIs, vendors, contractors, and shared platforms.
Key Lessons Learned
1. Trust is not a security control
Too many organisations treat vendor onboarding as a one-time checkbox and stop at the vendor risk assessment. Just because a supplier is reputable doesn’t mean their security posture matches yours. Trust must be backed by continuous monitoring and ongoing validation.
2. Visibility Is a Shared Responsibility
Many breaches stem not from sophisticated attack vectors, but from overlooked systems and forgotten dependencies. As I shared in a recent HelpNet Security interview:
"The mindset that asset inventory is just a 'one-time project' is outdated and needs to shift towards maintaining an ongoing living map that includes business context."
Without shared visibility between partners, you’re effectively flying blind.
Incidents don’t respect silos
The moment an incident hits, technology (IT), security, legal, and business teams must work in sync. If your third-party risk framework isn’t aligned with your incident response and communications plan, you’ll lose precious time in the moments that matter most.
Physical disruption starts with digital access
The Peter Green Chilled ransomware attack wasn’t just a tech failure—it had real-world implications. Deliveries were halted, refrigerated goods spoiled, and retailers scrambled. What this shows is that supply chain attacks don’t just steal data. They disrupt the trust and continuity that businesses (and consumers) rely on.
Strategies for Building a Resilient Supply Chain
1. Map your digital proximity
At ThingsRecon, we created the term digital proximity to describe the interconnectedness of your systems, vendors, and infrastructure. It's not just who your suppliers are, but how closely they're integrated into your operations, what data flows through them, and how exposed they are.
Start by asking: If this vendor was compromised, what could they access? What systems would be affected? Who else are they connected to?
2. Prioritise based on business impact
Not all risks are equal. An outdated supplier login might be more dangerous than a new SaaS vendor, depending on its reach and privileges. Context matters. Look at exposure, exploitability, and business importance—not just surface-level severity.
3. Shift from static to continuous discovery
What you saw last quarter may already be outdated. Organizations need automated discovery that adapts in real time—tracking new assets, identifying changes in third-party infrastructure, and flagging shadow IT and unknown dependencies.
4. Build resilience, not just defenses
Resilience means having a plan when things go wrong. That includes:
- Clear incident response plans for vendor-related breaches
- Shared playbooks with third parties
- Communication protocols that include employees, customers, regulators, and partners
- Testing regime that includes continuous assessment and improvement
- Clear Roles & Responsibilities defined so each party plays position.
- A thought understanding of “Things” and their value and importance to the organization or its operations.
5. Embed security in partnership agreements
Security expectations shouldn’t be buried or hidden in procurement paperwork. Make risk ownership explicit:
- Define shared responsibilities
- Require regular assessments or attestations
- Set SLAs, OLAs or defined protocols for breach notification and remediation
Cyber risks facing today's supply chains are not theoretical – They are present and growing. They're disrupting payrolls, halting deliveries, and exposing strategic vulnerabilities on a global scale. As some point I predict they may impact the safety of consumers, states, governments or the environment given the reach of supply chain in everyday society. The good news? These events are also catalysts for change as they are pushing organisations to rethink how they build, assess, and manage relationships. This in addition to regulations like DORA, SEC and NIS2 that are demanding supply chain cybersecurity oversight, accountability, and timely transparency and reporting.
A resilient supply chain isn't just one with strong defenses. It's one with shared visibility, aligned priorities, and a clear path forward when things go sideways.
Let’s stop treating third-party risk as someone else's problem. Because if attackers can find a way in, chances are it’s through a connection we chose to trust or didn't know existed.