Ben Large, Head of Cyber at Cybit, says there is glaring disparity between prevalence and preventative measures, but that AI could be a game-changer
Cybersecurity expert Ben Large, Head of Cyber at one of the country’s leading technology solutions firms, Cybit, says the government’s 2026 cybersecurity survey highlights the gap between supply chain vulnerabilities and the level of preventative measures taken by medium and large firms.
The survey reports that only 15% of companies review immediate suppliers’ cyber risks, and just 6% review wider supply chain cyber risks.
Yet all evidence points to the supply chain being a focal point for cyber-attacks, as highlighted by last year’s attack on Jaguar Land Rover, which halted production for several weeks and resulted in a direct cost to the company of almost £200 million, and cost an estimated £2 billion to the wider UK economy.
Ben Large commented; “It’s no longer enough to keep just your own systems and networks secure. Most organisations rely on connections to their supply chains, so strict access controls and continuous monitoring are now essential.
“Despite three quarters of UK businesses having basic cyber security provision such as password policies, restricted admin rights, and firewalls, the vast majority are neglecting to consider the risks for business continuity when it comes to their supply chain.
“This leaves them not only vulnerable to an attack themselves but also risking business continuity if there is an attack on suppliers, putting a question mark over their whole supply chain resilience.
“Although cyber security is seen as an IT challenge, this makes it a risk factor across the whole business, requiring planning and buy in from a much wider range of departments.”
Recent high-profile attacks through their supply chain network also include Marks & Spencer and the Co-op who suffered highly disruptive attacks that were traced to a shared third-party vendor.
The result of these saw Marks & Spencer take a £300 million profit hit, while the Co-op took a hit of £206 million in lost sales, and £120 million in lost profits.
However, there are actions businesses can take to ensure they are mitigating against either a direct cyber-attack through their supply chain, or disruption due to a cyber-attack within it.
Ben Large explains; “A good starting point would be to mandate that all third parties achieve a minimum recognised certification, such as the government’s Cyber Essentials. This ensures that every supplier has considered, and put in place, measures to protect their business from a cyber-attack.
“Undertaking a risk assessment across your supply chain to assess continuity issues and contingencies can also ensure the impact of an attack on your business will be minimised.”
The use of Multi-Factor Authentication (MFA) is highly recommended where third parties have access to a company’s systems, and GCHQ recently recommended companies should replace passwords with passkeys, which are resistant to phishing as they cannot be intercepted, for user-authentication.
Ben Large continued; “There are now AI tools emerging that can analyse deep into supply chains connections and networks, so a third-party risk management strategy must be put in place that considers every possible entry point to the company’s systems and data.
“These tools go far beyond current antivirus solutions, which rely primarily on identifying threats based on known virus signatures.
“Endpoint Detection and Response provides continuous monitoring and analysis of endpoint activities, but they rely on agents installed on owned systems so may not be suitable for securing third-party networks and systems.
“However, Extended Detection and Response goes beyond this by integrating data from cloud environments, network firewalls, and email gateways, opening up the possibility of extending security boundaries.”
Ben Large adds that Managed Detection and Response (MDR) currently offers the most complete solution, noting; “MDR deals with a broader range of cybersecurity challenges, incorporating behavioural analysis and real-time intervention.
“When combined with advanced AI, MDR identifies and deals with risks associated with privilege abuse, account takeovers, and insider threats.”
The risk of a cyber-attack is real. Overall, 43% of businesses (about 612,000) and 28% of charities (about 57,000) reported having experienced any kind of cyber security breach or attack in the last 12 months, which is on par with the previous year.
But when you add into the mix the impact of a cyber-attack within your supply chain then the chance of that affecting your business in the next 12 months is significantly higher.
Ben Large concludes; “Based on this survey, and what we are hearing from our clients, there is a growing need to take a more holistic approach to cyber security, engaging c-suite and logistics departments to ensure supply chain threats are understood and acted upon.
“Business owners also need to know that it is a legal requirement to report a breach to the Information Commissioner’s Office, when for example, personal data has been stolen.”
For more information on Cybit, please visit https://cybit.com/.
