How High-Profile Cyber Incidents Demonstrate The Real Business Impact of Supply-Chain Vulnerabilities

By Nicholas Fearn • 27 November 2025

Cyber breaches wreak havoc on businesses. They can bring companies’ operations to a halt, drain their coffers and erode customer trust. Oftentimes, they aren’t caused by IT vulnerabilities in victims’ own IT systems, but rather, ones that exist in their digital supply chains.

A recent example of this is when Jaguar Land Rover (JLR) experienced a catastrophic cyber attack that experts at the Cyber Monitoring Centre (CMC) estimate dealt a £1.9bn blow to the wider UK economy. The car maker had to halt production for several weeks, stalling growth in Britain’s automotive industry. It’s believed that the interconnected nature of Jaguar Land Rover’s global IT stack, its integration with operational technologies powering factories and reliance on supply chain systems allowed hackers to work quickly while making it harder for its IT teams to isolate the attack.

Other costly supply chain cyberattacks impacted Marks & Spencer (M&S) and Co-op this year. M&S took a £300 million hit to its profits, while Co-op expects to lose £120 million in full-year earnings. Both incidents led to the retailers experiencing stock shortages, highlighting the operational disruption that hacks can have on businesses. And they were caused by vulnerabilities in a third-party vendor – exploited through social engineering tactics.

With a mixture of supply chain vulnerabilities and poor IT management practices contributing to the JLR, M&S and Co-op cyber attacks, what can businesses do differently to shore up their cyber defences and digital supply chains?

A Domino Effect

Today, modern businesses rely heavily on an ecosystem of various platforms, software, applications and physical technologies – all provided by different vendors – to stay afloat. And when cyber criminals breach one part of it, the fallout is unimaginable and hard to contain.

“A single compromised dependency doesn’t just trigger a technical outage for a day,” says Tom Finch, engineering leader at container security software provider Chainguard. “It sets off a chain reaction of operational disruption, emergency patching cycles, customer anxiety, and regulatory audits that take weeks and sometimes months to recover from.”

As soon as this chain reaction ignites, different areas of the business – all connected by software – are quickly affected. Pete Hannah, vice president of Western Europe at backup storage provider Object First, explains that a single compromised vendor can result in a ripple effect throughout the victim organisation, detrimentally impacting its “operations, delivery, customer interactions, and financial performance”.

Hannah adds that even the smallest supply chain outages can trigger “production delays, contractual penalties, and customer churn”. And while recovering from this can hit a firm’s finances hard, he believes that the “erosion of trust can be even more lasting”.

Weak Digital Supply Chains

Supply chain attacks have become a frequent source of disruption in today’s business landscape. And the reason is due to “structural” vulnerabilities that exist throughout digital supply chains, according to Pierre Noel, Field CISO EMEA at managed detection and response provider Expel.

Although businesses are increasingly relying on interdependent systems and technologies, Noel says they are weakened by “unknown or poorly validated security postures” that are currently present in all parts of the digital supply chain. He adds that the result is a lack of visibility and accountability, meaning supply chain attacks often go unnoticed for significant periods of time, and no one is quite sure how to deal with them or who is to blame.

This sentiment is echoed by Finch of Chainguard, who describes software supply chains as being “structurally fragile”. He says a “security blind spot” is created by the “interconnectedness” of modern software, which is formed of many different components that are “built and maintained by thousands of people”.

In addition to a weak and fragmented software supply chain, Object First’s Hannah warns that many organisations fail to vet the security of their third-party vendors regularly. At the same time, he says cyber criminals are routinely exploiting “software updates, privileged access, third-party credentials, and configuration drift” as they look for an entryway into supply chains and, of course, enterprises.

He tells IO: “Unless businesses continuously evaluate and test their supply-chain resilience, rather than relying on periodic compliance checks, the same patterns of disruption will continue.”

Good Supplier Management Is Essential

With digital supply chains more vulnerable than ever, it’s become a matter of urgency for businesses to improve their supplier and customer management practices. For Hannah of Object First, this means going beyond supplier contracts and preparing for supply chain attacks “in a coordinated way”.

To do so, he says organisations must work closely with their suppliers on creating and enforcing incident response plans. Simultaneously, roles and responsibilities must be clear so that “recovery is faster and disruption is contained”.

Another expert who sees the benefit of close coordination between businesses and vendors in mitigating supply chain security risks is Chainguard’s Finch. He says that when all stakeholders within the supply chain collaborate on “incident response roles and communication paths”, organisations can respond to attacks with greater speed and precision. He adds: “Together, these practices reduce the scope and uncertainty of incidents long before they become financial or reputational problems.”

Mitigatory efforts through improved supplier coordination aren’t just important, though. Firms also need to prepare for the worst outcome of cyber attacks, which is often a breakdown in customer trust. For Noel of Expel, this means “clear accountability, contractual audit for higher-risk suppliers, transparent communication, and coordinated incident response”. He adds: “Customers don’t expect perfection; they expect speed, honesty, and competence.”

Other Changes

Beyond healthy supplier and customer management practices, are any other changes necessary? For Noel of Expel, the answer is a resounding yes – he says organisations must no longer view supply chain security as a one-off exercise. That means replacing “reactive fixes” with “proactive risk governance”, with CISOs working closely with vendors on strengthening digital supply chains.

Agreeing with Noel is Chainguard’s Finch, who says organisations and third-party vendors must view supply chain security as a “shared business responsibility”. This requires business leaders, compliance and technologists to break down existing siloes and work in tandem so that future software is “faster, smarter, and more collaborative than ever”.

While treating supply chain security as a shared responsibility is vital in mitigating and containing attacks, Chris Binnie – a cloud native security consultant from Edinburgh – urges suppliers to ensure they possess “greater visibility into their own supply chains” before supplying products to enterprise customers.

To mitigate future supply chain attacks, Diane Downie – a senior software architect at application security specialists Black Duck – says organisations should “establish, always follow, and continuously improve best practices”. Making the use of zero-trust architecture a key best practice may also help, suggests Hannah of Object First, by limiting “how far an attacker can move within an environment”.

It’s fair to say that supply chain attacks have become a major headache for both enterprises and their suppliers. But they needn’t be so hard to mitigate, detect and contain; businesses and vendors simply need to make a concerted effort to treat supply chain security as a continuous shared responsibility. In practice, that means having clear plans, processes and responsibilities in place to keep attackers at bay.

Of course, even with the best safeguards in place, there’ll still be instances where attackers manage to breach supply chains. This is where coordinated incident response is essential. And, of course, businesses and their partners need to be transparent with customers about what has happened in order to keep them on side.

Nicholas Fearn

Nicholas Fearn is a freelance journalist from the Welsh Valleys. He’s written for major media outlets like the Financial Times, The Independent, The Telegraph, Evening Standard, iNews, HuffPost and Insider, as well as B2B publications like Computer Weekly, Computing and IT Pro. When Nic isn’t writing about the latest gadgets and tech trends, he’s probably listening to Mariah Carey’s entire discography.

Qantas Data Breach: Why Vendor Oversight Must Be a Compliance Priority

A recent Qantas data breach compromising the personal information of 5.7 million customers has highlighted the ongoing cybersecurity risk that thir...

Nicholas Fearn

Cyber security 16 July 2025

What Increased Defence Spending Means For The Cybersecurity Sector

As geopolitical tensions continue to rise globally, 2025 has seen a dramatic increase in defence spending not witnessed since the Cold War. In rece...

Nicholas Fearn

Cyber security 10 June 2025

Why Regulators Are Favouring A Converged Approach To Cyber Resilience

As the digital ecosystem expands exponentially and cybercriminals seek to exploit security holes within it, regulators continue to apply pressure o...

Nicholas Fearn