Half of Enterprises Experience Two Supply Chain Incidents Within the Last Year

Nearly half (46%) of organizations experienced at least two cybersecurity incidents in their supply chain over the past year, as indicated by new research presented at Infosecurity Europe 2025. This finding underscores the growing concern regarding supply chain cyber incidents, with 90% of UK respondents identifying them as a top priority for 2025.

Despite the heightened concern over these incidents, many organizations express confidence that their current approaches to third-party risk management (TPRM) are inadequate, with only 37% of respondents considering them very effective. A significant factor contributing to this ineffectiveness is inadequate communication among stakeholders, as 54% of TPRM functions report infrequent collaboration in identifying systemic risks across the supply chain.

The research also highlights stark differences in supply chain security capabilities among various sectors. For example, while 48% of respondents from the legal sector reported full visibility into all tiers of their supply chain, only 14% of respondents from other sectors reported the same level of insight.

Haydn Brooks, CEO of Risk Ledger, characterized the current state of TPRM as “fundamentally broken.” He emphasized that the recent wave of cyber-attacks showcases the vulnerability of supply chains. “Compliance-led box ticking isn’t enough anymore. Security teams remain in a reactive stance, while attackers continuously evolve. To truly secure the entirety of the supply chain, a fundamental reassessment of our approaches is necessary; otherwise, we are merely playing a game of whack-a-mole,” he stated.

Recent incidents, such as a ransomware attack on UK retailer Marks & Spencer, reportedly originating from a software supplier, illustrate these vulnerabilities. An internal investigation by IT firm Tata Consultancy Services is underway to ascertain its role in the breach.

Impact of UK Cyber Security and Resilience Law

The impending implementation of the UK government’s Cyber Security and Resilience Bill, which emphasizes supply chain security, represents a critical development. This legislation is expected to mirror the EU’s Network and Information Systems Directive 2 (NIS2) by broadening its scope to include other types of digital service providers, stressing the importance of cyber management within supply chains.

In light of this research, respondents have made several recommendations for the government, including:
– Increased focus on identifying systemic risks and assigning accountability (50%).
– Expanded regulatory powers for compliance enforcement (46%).
– Incentives and mandates for cross-industry collaboration and information sharing (41%).

This research surveyed 500 UK respondents involved in their organizations’ third-party and supply chain risk management or cybersecurity initiatives.