In today’s hyper-connected business landscape, your organisation’s security is only as strong as its weakest link – and increasingly, that link lies in your supply chain.
As an IT security professional, I’ve witnessed firsthand how rapidly evolving threats and subtle vulnerabilities compromise even the most mature environments. While many companies are rightly focused on hardening their defences — deploying endpoint protection, managing patches, and investing in threat detection — they often neglect a critical area: the security of their third-party suppliers and partners.
The Foundations of a Good Security Posture
A robust security posture means more than just having the latest tools in place. It’s about establishing a culture of continuous risk assessment, readiness, and resilience. This includes regular penetration testing, strong identity and access management, proper logging and monitoring, employee awareness training, and a well-practised incident response plan.
But even with all of these in place, the threat landscape doesn’t end at your organisation’s firewall.
Don’t forget, your supply chain IS part of your Attack Surface
Modern organisations rely on a vast web of service providers – from cloud hosting platforms to HR systems, managed service providers, and specialist consultants. These partners often have access to your systems or data and play a critical role in your operations.
This interconnectedness introduces a significant risk. A vulnerability in one of your suppliers’ systems could lead to a breach in yours. We’ve seen this time and again – from high-profile cases like SolarWinds, to smaller, less-publicised incidents affecting SMEs and charities alike.
Third-Party Risk Isn’t Just a Big Business Problem
It’s a common misconception that supply chain risk is only a concern for large enterprises. In reality, attackers are increasingly targeting smaller suppliers to penetrate larger networks. If you’re part of a supply chain, you are a potential vector, and equally, your suppliers are a potential threat to your business.
In the UK, the NCSC has repeatedly emphasised the importance of assessing third-party risk and securing your supply chain. It’s not just about due diligence when selecting a vendor — it’s about ongoing assurance.
Practical Steps You Can Take
To maintain a good IT security posture and protect your organisation from third-party risks, consider the following steps:
Review regularly – Don’t let these checks be a one-off. Review supplier security at regular intervals or when changes in risk occur.
Conduct regular supplier risk assessments – Review the security controls of critical suppliers, especially those handling sensitive data or with network access.
Build security into contracts – Include security requirements in your supplier agreements, such as breach notification clauses, audit rights, and minimum standards.
Request evidence – Ask suppliers to provide certifications (e.g., Cyber Essentials, ISO 27001), recent pen test reports, or summaries of their incident response capabilities.
Segment access – Limit third-party access using the principle of least privilege and monitor all external connections.
The High Cost of Compromise: Lessons from the M&S Cyberattack
The recent cyberattack on Marks & Spencer (M&S), and other retailers serves as a stark reminder of the potential costs and operational disruptions including the suspension of online orders and empty store shelves.
Financially, M&S estimated a £300 million reduction in operating profits due to the attack, with daily revenue losses from suspended online sales around £3.8 million. The company’s market value also suffered, with over £700 million wiped out in the days following the breach.
Beyond the immediate financial impact, M&S faced reputational damage and regulatory scrutiny. The UK’s Information Commissioner’s Office launched an investigation into the breach, which could result in substantial fines if data protection failures are identified.
This incident underscores the critical importance of securing your own systems and ensuring that your suppliers adhere to robust cybersecurity practices.
A Shared Responsibility
Ultimately, good security isn’t just a technical issue – it’s a business imperative. Ensuring your organisation and your supply chain are secure is part of protecting your clients, your reputation, and your operational continuity.
In our interconnected world, resilience depends not just on our vigilance but also on the vigilance of those we choose to work with. Now is the time to treat third-party security with the seriousness it demands – before an attacker does it for you.