Cyber risks in your supply chain – where is your weakest link?

Adidas, The North Face, Cartier and Victoria's Secret are the most recent names to join the ranks of retailers – Marks & Spencer, Harrods, and the Co-op – to be hit by cyber attacks in recent months. Rich in customer data, with significant resources and a strong reputation to protect, a large retailer is an attractive target for cyber criminals. Complex digital supply chains also increase the potential entry points for attackers: the attacks on Adidas and Marks & Spencer emanated from supply chain vulnerabilities. For businesses in the retail sector (and beyond) that are sensibly reviewing and reinforcing their cyber readiness plans, these recent attacks demonstrate the importance of managing cyber risks across your supply chain – from cloud service providers, POS system providers, app suppliers, to IT and customer service helpdesks. Here are 5 tips to help.

Now Reading

Map your supply chain

According to the UK Government's cyber security breaches survey 2025 ("2025 Survey"), 45% of large businesses reviewed the cyber security risks posed by their immediate suppliers (in comparison to 21% of small businesses). This is a drop from 55% in 2023. Only 25% reviewed the risks of their wider supply chain.

Cyber threats from outside your organisation are likely to be more difficult to detect and control. Knowing who your direct and indirect suppliers are, what they provide, how they provide it, and what data they hold and have access to will help you to identify which are your critical providers and better manage the cyber security threats to your business. Mapping your supply chain will also help you to determine what measures can easily be enforced via contracts and put you in a position to respond more rapidly to supply chain related cyber incidents and regulatory requirements. The National Cyber Security Centre (NCSC) has provided guidance on mapping your supply chain.

Carry out supply chain due diligence

You will need to assess whether your suppliers have an appropriate level of cyber resilience and data hygiene – if personal data are being processed by the supplier, conducting due diligence is a legal requirement under UK GDPR. Your suppliers should complete a security questionnaire, which your security and procurement personnel need to be trained to fully assess, so that vulnerabilities can be addressed. If your systems are to be integrated with a supplier's, how easily can a threat be contained? How regularly are systems checked for vulnerabilities and what is the back-up plan if those systems are compromised?

Human error

Human error is cited time and again as the primary cause of cyber security breaches, with phishing remaining the most prevalent type of attack. Marks & Spencer confirmed that the attack on their systems was a consequence of human error within their supply chain. Just as you train your staff on the range of cyber incidents that can arise and include steps to limit human error and technological issues, check whether your suppliers do the same.

It may be appropriate for suppliers to provide independent third-party assessments, audits, or certifications depending on your requirements and the level of risk.

Ensure your contract (and subcontracting) terms protect your data and systems

In addition to compliance with law and data protection provisions, contracts with your suppliers should include (according to the risk profile):

commitments to minimum security measures, security SLAs and maintenance of security accreditations
obligations to maintain disaster recovery and business continuity plans
rights to carry out audits on businesses in the supply chain to test resilience, including, where appropriate, penetration testing (there are alternative oversight options, e.g. for cloud services providers)

cyber incident reporting, cooperation and response requirements, including timeframes
exit strategies with obligations to delete and return data on termination
provisions to allocate risk and cost for cyber incidents and data breaches and set requirements for cyber insurance.

To help manage your wider supply chain, there must be appropriate controls over subcontracting, including, where necessary, mandatory flow-down of contractual requirements.

…but don't stop there

Due diligence is not a one-off, pre-contract exercise and contracts should be actively managed and, where necessary, enforced throughout the relationship. Audits, governance and reporting must be exercised, and business continuity and disaster recovery tested, regularly, not just when things go wrong. Measures to prevent any unauthorised or unintended access to your information and systems, and any unnecessary sharing of data, must be policed and changes to systems and data flows should be tracked and recorded. At the end of the relationship, the supplier should confirm that data has been deleted in line with the contract.

Make supply chain risks part of your cyber readiness planning

Having in place and testing a Cyber Incident Response Plan is crucial, but do you have a clear understanding of how your suppliers' processes and incident response plans, particularly their contingency and communication plans for when a critical incident impacts multiple customers, fit with your organisation's plans?

In our Mitigating a Data Breach: Insider Threats podcast series, we discussed the importance of "war-gaming" your cyber incident response plans. As part of that exercise, it is important to practise how you would respond if a data breach originated at a key supplier, or if cyber criminals gained access to your systems through your supply chain. This will help you establish how your response plans hold up, what information you will need from your suppliers and that your response team understand their roles and steps they should be taking. For key suppliers, consider involving them in your planning and training.

Look to available guidance and regulatory requirements

New cyber legislation and legislative proposals, both in the UK and the EU, and existing international standards, such as ISO 270001:2022, focus on management of supply chain cyber risk. New cyber legislation generally targets financial services, critical national infrastructure or essential services, rather than the retail sector (apart from the EU's NIS2 Directive, which applies directly to EU-based online marketplaces and retailers involved in food production, processing and distribution over a certain size threshold). However, new obligations in respect of cyber resilience either already apply (under NIS2) or will soon apply (pursuant to the UK's forthcoming Cyber Security and Resilience Bill) to IT managed service providers. These legislation-backed minimum standards should help protect against cyber criminals leveraging managed services to gain access to retail sector clients.

What are other sectors doing?

It is helpful to understand what lessons have been learned, and measures taken, in other sectors which are popular targets for cyber criminals, like financial services, which treat cyber security as a higher priority than businesses overall. In the 2025 Survey, 97% of respondents from the finance and insurance sectors said cyber security was a "high priority", contrasted with businesses in the retail or wholesale sector, 44% of which said it was a "low priority" (compared with 27% of businesses overall).

According to the 2025 Survey, there has been a drop in large businesses seeking external information or guidance on cyber security (51%, down from 67% in 2024). There is a broad range of guidance and codes of practice out there, e.g., DSIT's new Cyber Governance Code of Practice (April 2025) designed to support boards and directors with governing cyber security risks, as well as NCSC's 12-principle-based Supply chain security guidance, Cyber Essentials and its blog setting out technical recommendations following the most recent attacks on the retail sector. The Government's diagram below shows how the various cyber codes of practice (or similar) apply:

From a data protection perspective, in addition to general data breach guidance, the ICO in its blog, "Learning from the mistakes of others", comments specifically on supply chain attacks.

The ICO has also recently demonstrated that it will take direct enforcement action in relation to supply chain vulnerabilities, fining Advanced Computer Software Group £3.07m following a ransomware attack for security failings, including gaps in multi-factor authentication – the first data processor to be fined by the ICO.

As at the time of writing (June 2025), Marks & Spencer continues to count the cost of the recent attack – it estimates that it will hit this year's profits by around £300m. For all sectors, especially retail, it is a stark reminder that even large, security-conscious companies are susceptible to vulnerabilities arising from compromised external partners. Supply chain attack preparedness and incident response integration should be treated as board level priorities to limit the significant business disruption, cost and impact on customer confidence which these incidents can entail.

Read Louisa Chambers Profile