By 2025, the biggest names will be making news when it comes to cybersecurity.
From M&S to the Co-op and Harrods, this year has shown just how connected and exposed British organizations have become.
For example, when Jaguar Land Rover’s production line was shut down at the end of August, the cause was not a spare parts shortage or a logistics bottleneck, but a cyber breach.
Weeks later, European airports suffered major disruptions after attackers compromised Collins Aerospace’s MUSE software, a key platform that allows airlines to share check-in counters and boarding gates.
This shows that the threat is real, growing and already deeply entrenched: companies that do nothing now are at risk of bankruptcy next time.
The warning signs were there all along.
In 2021, Gartner warned that by 2025, nearly half (45%) of businesses will be victims of a software supply chain attack. The latest data shows that the forecasts were quite conservative. According to IO’s 2025 State of Information Security Report, 61% of organizations have experienced a supply chain breach in the past 12 months.
Almost a third of these incidents resulted in business interruption or financial loss. And six in ten security leaders now describe the risks posed by third parties and supply chain partners as “numerous and unmanageable.”
Why attackers abuse smaller vendors
Modern organizations depend on a complex network of connected systems, cloud platforms and third-party providers. Sensitive data now flows continuously between external partners: from marketing agencies and logistics companies to data processors and SaaS providers. Each link in this chain is a potential entry point.
As a result, threat actors have realized that small vendors can be the weakest link. The cyber attack in October against the retailer Mango clearly shows this. The attackers did not steal customer data directly from Mango, but from one of its third-party marketing providers.
This “island-hopping” approach is now a common practice among cybercriminals. Smaller partners often don’t have the resources or experience to defend themselves, making them an easy path to larger, more protected networks. Additionally, limited budgets, small security teams and less formal risk processes make control much more difficult.
Superstition is the greatest threat of all.
Even as attackers continue to evolve, many organizations continue to underestimate their vulnerability. Many cybersecurity leaders are confident in their ability to respond to security breaches.
This confidence is often based on previous investments in security infrastructure and the existence of formal response plans.
But confidence doesn’t always equal skill. In practice, many organizations still struggle to understand large vendor ecosystems, fragmented data streams, and legacy systems that cannot adapt quickly enough to modern threats.
The threat to the supply chain in particular remains in the background. Only 23% of respondents cited supply chain compromise as one of the top threats behind AI abuse, disinformation and phishing.
This gap suggests that many managers are focusing on the most visible risks rather than the subtle systemic vulnerabilities in their supplier networks.
This creates a dangerous gap between perception and reality. As we have discovered, the reality is that most large-scale breaches are not the result of direct attacks, but rather infiltration by trusted partners, where detection, accountability and response are exponentially more complex.
Attackers exploit the “trust blindspot,” where companies assume their vendors have adequate defenses in place, only to discover too late that a single weak reference, outdated API, or insecure file transfer server has exposed vulnerable systems.
This shows that companies are caught between awareness and action. They understand that there are risks to the supply chain, but many still see this as a compliance check box and not a board-level priority.
Unless these attitudes change, the gap between confidence in cybersecurity and actual preparedness will continue to widen. And attackers will continue to take full advantage.
Building resilience: three steps UK businesses should prioritize
The UK government has already recognized the national impact of supply chain risks and MI5 and the National Cyber Security Center (NCSC) have made it a strategic priority.
But as the latest wave of attacks shows, many companies are not sufficiently prepared. With this in mind, three priorities can make a measurable difference to companies and help them prepare.
- Integrate security into partnership agreements Cybersecurity should be a matter of agreement, not an afterthought. Clearly defined expectations, responsibilities and obligations in supplier agreements help ensure that partners maintain appropriate security controls throughout the relationship.
- Conduct continuous evaluations and audits. An initial preliminary investigation is not enough. Continuous monitoring, periodic audits and reassessment of third party risk profiles are essential to ensure that security practices do not deteriorate over time.
- Strengthen your defenses first Before demanding higher standards from suppliers, companies should ensure that their information security frameworks are robust. Regular internal audits, simulations of mock incidents and adherence to best practices such as Cyber them themselves Best-Finance (BEFORE) 27001 best practices help ensure resilience at all levels.
Working with a qualified cybersecurity partner can also streamline this process and provide the independent security needed to uncover hidden vulnerabilities.
The end result
The cyber incidents that crippled Britain’s best-known brands in 2025 highlight a long-standing truth: the supply chain is now at the forefront of cyber security.
Businesses can no longer view third-party risk as a secondary priority. As attacks accelerate and interdependence increases, proactive and continuous management is the only viable defense.