Firms tighten supplier cyber defenses after third-party breaches
Breaches at suppliers including DXS International and a Marks & Spencer contractor, and data showing 30% of breaches involve third parties, have prompted tighter UK and EU supplier-security rules.
Firms are increasing cybersecurity checks on suppliers after a series of vendor breaches and new figures showing third parties were involved in about 30% of breaches last year. Regulators in the UK and EU now expect companies to map, monitor and report supplier risks.
A major breach analysis found third-party involvement in 30% of incidents, roughly double the prior year. A separate survey reported more than 70% of organizations experienced at least one material third-party cybersecurity incident in the past year, and 5% experienced ten or more. Recent attacks on an NHS supplier, DXS International, and a May 2025 breach traced to social engineering of a Marks & Spencer contractor highlighted the risk.
Security specialists say attackers target suppliers because they often have trusted access but weaker defenses. Nathan Davies-Webb, principal consultant at Acumen Cyber, described suppliers as “a shortcut into larger organizations” and warned that supplier access can be “over privileged, poorly monitored or not regularly reviewed.” Richard LaTulip, field CISO at Recorded Future, characterized suppliers as “the path of least resistance” due to lower staffing, budget and security maturity compared with large customers.
Many organizations lack visibility across multi-tier supply chains, which increases risk when fourth- and fifth-party relationships are considered. Nicola Taylor, chief operating officer at ScotlandIS, noted that global scale and interdependence make it harder to track vulnerabilities and enforce standards consistently. Pierre Noel, field CISO at Expel, said governance approaches have not kept up with threats and that many organizations respond only after incidents occur.
New and proposed rules require tighter oversight. The UK Cyber Security and Resilience Bill and the EU Cyber Resilience Act require firms to demonstrate oversight of supplier security, including mapping dependencies and enforcing standards. The Cyber Resilience Act requires a Software Bill of Materials and mandates reporting of actively exploited vulnerabilities within 24 hours. Other EU rules, including NIS2, add further obligations for organizations operating in the bloc. Ivan Milenkovic, vice president risk technology EMEA at Qualys, described the transparency required by the Cyber Resilience Act as “unprecedented.”
Industry experts recommend concrete steps. Chris Brown, SVP and UK market leader at NCC Group, urged firms to map suppliers across all tiers to uncover hidden dependencies. Nicola Taylor recommended using procurement to require evidence-based security assurance, patching and access-control obligations, and incident-response responsibilities in contracts. Harry Mason, head of client services at Mason Infotech, said basic controls such as Cyber Essentials certification, strong password policies and multi-factor authentication should be mandatory.
Firms are also advised to stress-test supplier arrangements through scenario planning and continuous monitoring. Nathan Davies-Webb suggested treating suppliers as an extension of the enterprise environment, identifying high-risk vendors by level of access and data sensitivity and placing them in a tiered risk model. Buyers of services must scale oversight across hundreds or thousands of vendors, while suppliers need to show security controls and rapid reporting to meet regulator expectations.
