Supply Chains Are Complex, Opaque and Insecure: Regulators Are Demanding Better

By Phil Muncaster • 13 August 2025

What do Marks & Spencer and Jaguar Land Rover (JLR) have in common? They both suffered significant ransomware breaches this year after threat actors targeted suppliers. In the case of M&S, it’s thought to have been a Tata contractor’s laptop. For JLR, it was an infostealer that targeted an LG Electronics employee with access to the carmaker’s network.

Both highlight the growing threat posed to organisations by often opaque and brittle supply chain dependencies. The challenge will arguably only intensify as a new global trade war forces firms to rapidly rearchitect supply chains, with little time for vetting new partners. As new research reveals, there’s plenty to put right.

A Problem in Two Parts

According to the World Economic Forum (WEF), over half (54%) of global organisations identify supply chain challenges as their biggest barrier to achieving cyber resilience. “The increasing complexity of supply chains, coupled with a lack of visibility and oversight into the security levels of suppliers, has emerged as the leading cybersecurity risk for organisations,” its report notes.

The supply chain security challenge comes in two parts:

Software that introduces malware or vulnerabilities to trusted environments. Open source components are particularly culpable here, as they’re often not properly documented, leading to security incidents like Log4Shell. But they’re not the only risk. Proprietary software like MOVEit and GoAnywhere has also been targeted with zero-day exploits in the past, for large-scale data theft and extortion campaigns, impacting millions of downstream customers.
A compromised supply chain partner – such as an MSP, a SaaS provider or a professional services firm – could create significant security risks. Adversaries may be able to access an organisation’s data directly, if stored by the partner, or gain logins to the organisation’s network/cloud accounts via the supplier. They could also target suppliers with ransomware, which can have a devastating impact on the entire supply chain, as per the Synnovis NHS attack.

Unfortunately, two recently published reports highlight the enduring challenges of mitigating supply chain risk. A LevelBlue study finds that, of organisations that say they have “very low visibility” into the software supply chain, 80% suffered a security breach in the past 12 months. That’s compared to just 6% that claim to have “very high visibility.”

Separately, Risk Ledger reports that nearly half (46%) of UK organisations have experienced at least two cybersecurity incidents in their supply chain over the past year. Its report also reveals that 90% of respondents view supply chain cyber incidents as a top concern for 2025, and only two-fifths (37%) describe their third-party risk management as “very effective”.

Regulators Want Action

According to LevelBlue, CEOs tend to be more concerned about supply chain risk than their C-suite peers, with 40% citing it the biggest security risk in the organisation versus far fewer CIOs (29%) and CTOs (27%). That will presumably mean extra pressure from above on CISOs and their teams. But the truth is they’re already under extreme pressure to comply with a new slew of regulations which target supplier risk. These include:

DORA: Among other things, DORA mandates that financial entities manage third-party IT supplier risk as an embedded part of overall IT risk management, overseen by the board. They must also maintain a detailed, updated register of information on all contracts with these suppliers and carry out thorough due diligence on new suppliers.

NIS 2: Requires all in-scope organisations to have supply chain risk management policies in place and to assess “vulnerabilities specific to each direct supplier and service provider”. Senior directors and executives are directly accountable for overseeing this.

Cyber Security and Resilience Bill: The UK’s update to NIS will demand that regulated organisations assess and strengthen supplier relationships, implement robust third-party risk management, and write security expectations into contracts, among other things.

Taking Action

LevelBlue chief evangelist, Theresa Lanowitz, argues that, when it comes to the software supply chain, visibility must take priority – “especially as supply chains grow in size and complexity, and organisations adopt more AI-powered solutions”.

She tells ISMS.online: “CISOs should focus on four key actions: leverage C-suite awareness to secure resources, align internally to identify top vulnerabilities, invest in proactive security measures, and regularly assess supplier cybersecurity practices. This balanced, proactive approach will strengthen visibility, preparedness, and accountability across the supply chain.”

Risk Ledger’s chief cybersecurity strategist, Justin Kuruvilla, tells ISMS.online that organisations must adopt an “assume breach” mindset and architect their security infrastructure to contain and limit any malicious activity.

“Gaining visibility into third-, fourth-, and even nth-party relationships is therefore essential. This broader view helps security leaders build a more accurate understanding of their exposure and prioritise mitigation efforts where they matter most,” he adds.

Kuruvilla argues that software supply chains demand particular scrutiny, given the potential impact of vulnerabilities in widely used code.

“Organisations should expect suppliers to adopt secure development practices aligned with industry-recognised frameworks,” he adds. “The degree of due diligence may vary depending on the supplier’s criticality and the organisation’s risk appetite. But it should include elements of secure software development such as CI/CD practices, vulnerability management, and the provision of a Software Bill of Materials (SBoM).”

How ISO 27001 Can Help

LevelBlue’s Lanowitz argues that best practice standards like ISO 27001 can provide a useful foundation on which to build better supply chain security.

“As organisations struggle with fragmented risk visibility and inconsistent practices, ISO 27001 can help unify and simplify compliance efforts across regions and sectors. Leveraging the standard, CISOs can follow a structured approach to risk management and continuous improvement,” she adds.

“With many regulations sharing the same core best practices – including risk assessments, access control, supplier vetting, and incident response planning – implementing ISO 27001 can also reduce compliance redundancy.”

Risk Ledger’s Kuruvilla agrees, although he cautions against “tick box” compliance.

Instead, organisations that prioritise a robust, risk-based approach to managing cyber risks typically achieve compliance as a natural outcome, he concludes.

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

A Key EU AI Act Deadline Is Approaching: Here’s What Businesses Need to Know

The EU’s AI Act is reaching the final stage in its tortuously long journey from legislative proposal to enforceable law. It’s been a long time comi...

Phil Muncaster

Cyber security 5 March 2026

UK Financial Services Firms Are Still Failing the Basics, the BoE Warns

The UK’s financial services sector punches well above its weight. London is a close second to New York as the world’s preeminent financial hub and ...

Phil Muncaster

Cyber security 17 February 2026

What the LastPass Breach Tells Us About Compliance in 2026

The GDPR was always meant to be vague. By not listing prescriptive technical controls – as, for example, PCI DSS does – the regulation does a bette...

Phil Muncaster