trending
Cyber attacks are increasingly exploiting the weakest points in corporate supply chains, making third-party vendors a prime route into some of the world’s largest organisations.
Supply chain cyber attacks
Once a marginal concern, these indirect attacks have doubled in frequency over the past year, highlighting how supply chain cyber security has become a central risk for both governments and businesses.
Fresh data from Verizon’s 2025 Data Breach Investigations Report reveals that almost 30 per cent of cyber attacks in 2024 originated through third-party suppliers, up from 15 per cent in 2023.
The scale of this shift is underscored by recent breaches affecting high-profile institutions: Marks & Spencer suffered disruption after a contractor was compromised, while the UK’s NHS England was hit via Synnovis, its pathology services partner.
Logic for Cyber Criminals
The logic for cyber criminals is clear.
By infiltrating a supplier with access to multiple clients, gangs can secure what Tim Erridge of Palo Alto Networks describes as a “many for one return on investment.”
A single weak link can therefore provide a gateway into a vast array of top-tier companies.
The trend is not limited to ransomware gangs. Research from Google’s Threat Intelligence Group indicates that state-backed groups — particularly from North Korea — are now adopting supply chain infiltration as a primary tactic.
Jamie Collier, the group’s lead adviser in Europe, warned that these attacks are increasing “in both volume and sophistication,” raising the stakes for international security as well as corporate resilience.
For Payments Companies
For payments companies and financial institutions, the implications are profound.
Their networks are deeply interwoven with software providers, customer service firms, and AI-driven solutions — all of which could provide an entry point for malicious actors.
Nathaniel Jones of Darktrace noted that attackers are actively probing the “soft underbelly” of corporate ecosystems, exploiting suppliers to move upstream into more secure environments.
Regulators are responding, though unevenly.
The EU’s NIS2 directive, introduced in 2023, obliges operators in critical sectors such as energy, transport and banking to manage cyber risks across their supply chains.
In the UK, a new Cyber Security and Resilience Bill is expected to extend oversight to managed service providers. By contrast, the US has taken a lighter-touch approach, though suppliers to federal agencies have been required to tighten their safeguards.
As supply chain attacks become more opportunistic, collateral victims may increasingly find themselves targeted simply because they are connected to a more secure partner.
For businesses — especially those in the payments sector — the message is unambiguous: cyber defence is only as strong as the weakest supplier.
Comments