86% of UK Businesses Don't Check Supplier Security

The UK's approach to supply chain security has reached a critical juncture, with new NCSC statistics revealing that 86% of British businesses fail to adequately review their suppliers' cybersecurity posture. This oversight comes as supply chain attacks have surged 50% and now account for 10.6% of all cyber threats, according to reporting from Paul Reynolds. Supply chain security involves the protection of digital assets and processes across an organisation's network of vendors, suppliers, and third-party service providers.

Key Facts:
- Only 14% of UK businesses conduct proper supplier security reviews
- Supply chain attacks increased by 50% and represent 10.6% of all cyber threats
- Manufacturing firms experienced a 58% increase in targeted attacks
- Ransomware groups are increasingly pivoting to target critical suppliers

Why Are Manufacturing Firms Under Siege?

Manufacturing organisations have become prime targets for cybercriminals, experiencing a staggering 58% increase in attacks as ransomware groups deliberately pivot towards critical suppliers. These firms often maintain legacy systems with limited security controls whilst serving as essential links in broader supply chains. Their operational technology environments frequently lack the robust cybersecurity frameworks found in financial services or healthcare, making them attractive entry points for attackers seeking to compromise multiple downstream organisations. The convergence of IT and OT systems in modern manufacturing has expanded the attack surface significantly, particularly as Industry 4.0 initiatives increase connectivity.

The Domino Effect of Supplier Compromises

When cybercriminals compromise a supplier, they gain potential access to every customer in that supplier's network. This multiplication effect explains why ransomware operators increasingly target managed service providers, software vendors, and critical component manufacturers rather than end-user organisations directly. A single compromised supplier can provide attackers with legitimate credentials, trusted network access, and detailed knowledge of customer environments. The UK's Cyber Resilience Bill will mirror NIS2 in recognising this interconnected risk, mandating stronger supply chain security requirements across critical sectors.

How Should Boards Respond to Supply Chain Blindness?

The NCSC's findings demand immediate board-level attention to supplier risk management. Organisations must implement formal third-party risk assessment programmes that evaluate cybersecurity controls before contract signing and continuously monitor supplier security posture throughout the relationship. This includes requiring suppliers to maintain certifications like Cyber Essentials Plus or ISO 27001, conducting regular security questionnaires, and establishing incident response procedures that account for supplier breaches. Finance directors should budget for supply chain security assessments as a standard procurement cost, whilst IT leaders must integrate supplier security monitoring into their broader threat detection programmes.

What This Means for UK Business Resilience

The current supply chain security gap represents a systemic weakness in UK business resilience that regulators and threat actors have both recognised. As the Cyber Resilience Bill progresses through Parliament, organisations that proactively address supplier security will find themselves better positioned for compliance and genuinely more secure. The manufacturing sector's vulnerability highlights how operational technology security can no longer be treated as separate from enterprise cybersecurity. Boards must recognise that their organisation's security is only as strong as their weakest supplier link, making third-party risk management a strategic imperative rather than a technical afterthought.