Uncovering the Hidden Pillars Supporting the UK’s Digital Supply Chain

The UK’s digital supply chains are larger and more complex than their global peers. That could spell trouble, finds Phil Muncaster

Supply chains play a critical role for British organisations. They drive efficiency, agility and ultimately competitive differentiation. But they can also be a major source of business risk. That risk intensifies if there are significant blind spots. Unfortunately, two new pieces of research reveal that many organisations are potentially more at risk from third- and even fourth-party breaches than they realise.

Experts argue that to stem the tide of third-party risk, CISOs must first understand more about the companies that supply them with essential goods and services. This can be easier said than done.

Shining a light on suppliers

The first study reveals that UK organisations on average use 29.1 different providers and 81.6 different products than their global peers: calculated by report author Bitsight as a 10% larger supply chain. That in itself is cause for concern, as it means a large attack surface for threat actors to target.

However, the study also claims that 30% of the UK supply chain relies on organisations designated by the Pentagon as “Chinese military companies”. They include China Telecom, Qihoo, China Unicom, Tencent and Huawei. Some 7% have a business relationship with the Third Research Institute of the Ministry of Public Security, a Chinese government body linked to AI surveillance technology.

“Given the current changes and tension in the international trade landscape, relying on Chinese suppliers raises geo-political and regulatory risks,” Bitsight principal research scientist, Benjamin Edwards, tells Assured Intelligence. Even if current trade policy and tension turns on a dime, disentangling these relationships will be extremely complex and time consuming.”

“30% of the UK supply chain relies on organisations designated by the Pentagon as ‘Chinese military companies’.” 

That’s not all. According to the report, many tech suppliers to UK organisations are “hidden pillars” – little-known vendors that actually serve large portions of certain verticals. That is a risk in that a single breach at one of these companies could have a massive impact on entire industries. Some of these vendors operate with fewer than 50 employees, which raises a question mark over whether enough resources are available, and assigned, to cybersecurity, according to Bitsight.

Deepwatch CISO, Chad Cragle, cites SolarWinds and Codecov as two such vendors, which were breached in incidents that impacted entire sectors.

“Their security posture is often neglected despite their support of critical operations. The primary concern is a lack of visibility; when a supplier is heavily relied upon yet operates beneath the radar, it engenders systemic fragility,” he tells Assured Intelligence. “Organisations must extend their assessments beyond Tier 1 vendors to effectively map and monitor supply chain dependencies at every level.”

Why it matters

These supply chain risks continue to grow and evolve. According to a new SecurityScorecard study, 36% of global breaches in 2024 were third-party related – an annual increase of 7%. In the UK the figure is slightly higher (37%). The worst impacted verticals were Retail, Hospitality and Consumer Goods (52%), Technology, Telecommunications, and Media (46%) and Energy, Utilities and Critical Infrastructure (47%).

“CISOs should establish clear security baselines and remediation plans for integrating acquisitions safely.” Steve Cobb

Some 12% of these third-party related breaches came not from external suppliers but domestic or foreign subsidiaries and acquired companies. This speaks to the challenges of deploying security consistently across a large organisation, with siloed tech stacks and potentially inherited vulnerabilities. In the case of foreign subsidiaries, there may also be language barriers, varying cultural expectations, different regulatory requirements to contend with, the report notes.

SecurityScorecard CISO, Steve Cobb, argues that security leaders should ideally be included in M&A decision making early on, so they can conduct risk assessments on potential targets.

“Security tools can help evaluate an acquisition’s risk profile, but if time is limited or risks are significant, the newly acquired entity should remain segregated. This means keeping infrastructure, data, and workflows separate until security teams can assess vulnerabilities and implement necessary controls,” he tells Assured Intelligence.

“Additionally, CISOs should establish clear security baselines and remediation plans for integrating acquisitions safely. Treating M&A cybersecurity as a proactive process rather than an afterthought helps prevent inherited security weaknesses from compromising the broader organisation.”

Ransomware actors are among those constantly probing for ways to maximise their RoI – and find an easier entry vector for high-value targets – by attacking suppliers. Over 40% of ransomware and extortion incidents last year had a third-party breach component, with Cl0p among the main actors in this space. UNC5537, which targeted Snowflake client accounts to access hundreds of millions of end customer records, is another notable name. And Chinese cyber-espionage actors are also known for targeting supply chains, SecurityScorecard claims.

“CISOs must transcend outdated annual evaluations and compliance checklists to adopt continuous risk monitoring.” Chad Cragle

Perhaps more alarming still is the fact that many breaches extend beyond third-party suppliers. So-called fourth-party breaches – where suppliers pf suppliers are compromised – accounted for 5% of all breaches last year and 13% of all third-party incidents. It highlights the interconnected nature of modern digital ecosystems, and the risks for CISOs of security blind spots.

Cobb cautions that mapping suppliers’ supply chains can be challenging.

“Specialised tools can help uncover these dependencies, but if budget or expertise is lacking, CISOs must strengthen relationships with key vendors to gain insight into their security posture. Regular discussions, contractual security requirements, and shared threat intelligence can improve transparency,” he tells Assured Intelligence.

“Additionally, organisations should factor fourth-party risks into their incident response planning, ensuring they are prepared for disruptions beyond direct vendor relationships. Proactively addressing these hidden dependencies helps reduce blind spots and strengthens overall supply chain resilience.”

Tackling supplier risk

CISOs alarmed by these studies must get back on the front foot to head off supplier risk. That starts with visibility into supply chains, according to Bitsight’s Edwards.

“Knowing is half the battle. The first step is to understand who is enabling your organisation’s mission – every piece of equipment, software and data should be considered. That said, evaluate criticality, as a gap in marketing analytics will not be quite as devastating as a major cloud provider shutdown,” he explains.

The next step is to proactively reach out to providers who may not be as transparent as they should be.

“Knowing is half the battle. The first step is to understand who is enabling your organisation’s mission.” Benjamin Edwards

“Look deeper into the extended supply chain. Are your most critical providers themselves dependent on a less-than-secure fourth-party provider? Finally, evaluate your own criticality in the global supply chain and take accountability so an incident within your business does not disrupt others.”

Deepwatch’s Cragle adds that any strategy for managing supply chain risk must be intelligence-driven rather than based on reactive controls.

“CISOs must transcend outdated annual evaluations and compliance checklists to adopt continuous risk monitoring tools that furnish real-time security ratings and risk management solutions. Such measures will facilitate a more comprehensive assessment of their security posture,” he explains.

“Essential actions comprise: mapping supply chains to identify latent dependencies, coordinating procurement and legal teams to enforce security clauses, instituting zero trust principles to restrict vendor access, and emphasising resilience through the assessment of aggregate risk throughout the ecosystem.”

Supply chain risk management is now firmly on the radar of regulators – from NIS2 and DORA in the EU to the UK’s forthcoming Cyber Security and Resilience Bill. That alone should place it top of the to-do list for today’s CISOs.