In 2025, high-profile, damaging cyber breaches demonstrated how attackers are successfully exploiting security vulnerabilities in supply chains. In fact, 43% of all UK businesses suffered a cyber-attack over the last year, including Jaguar Land Rover – who are still facing fallout – and the retailers M&S and Coop.
Yet only 14% of firms are on top of the potential risks faced by their immediate suppliers. And attackers are finding new ways in by using new technologies to exploit weak links in digital supply chains, manipulate identity systems, and infiltrate through trusted vendors.
It’s clear that traditional frontline defences are no longer enough. The onus is now on UK businesses to build a robust security strategy which can stand in the age of AI-enabled attacks. The growing vulnerability of major businesses to cyberthreats stands to shows why frontline cyber is a strategic imperative.
The current state of play
Businesses should be moving to ensure that their security strategy is up-to-date and effective. That’s easier said than done, especially when businesses’ data is constantly on the move and often routed between any number of external partners and trusted-third party relationships.
Assessing and understanding risk is the first step to building an effective security strategy. For instance, sophisticated attackers often chose to target a less-secure partner, supplier or seller. This might include mass campaigns of phishing and malware attacks, to grab low hanging fruit – such as organizations with no security framework who provide a way in.
Having then gained access into a trusted partner’s systems, attackers then act to infiltrate other organisations up-or-down stream. This can lead to exfiltration and leaking of sensitive data by attackers who exploit the unwarranted privileges assigned to them.
And attackers don’t stay still – their methods are constantly evolving. Using artificial intelligence, they can create sophisticated phishing emails, and deepfakes, often moving faster than many businesses’ governance processes and controls.
For instance, we’re witnessing the emergence of device code-phishing attacks which exploit authentication through device code flow for logging IoT devices into user accounts, bypassing MFA and similar security methods. Many of these devices were never designed for secure authentication, making them easy entry points for attackers.
Embedding security at every level
No organisation can close every gap; there’s no such thing as an indestructible cybersecurity policy. But organisations have the best possible chance to stay ahead of attackers by adapting a security posture rigorous enough to counter the all-pervasive scale of these threats.
This means ensuring that security can no longer be seen as an insurance or a ‘nice-to-have’. Instead, it must be embedded as a core strategic priority, rather than an insurance policy. Organisations should start with embedding cybersecurity as a board-level priority.
Cybersecurity shouldn’t be farmed out to a siloed IT team and then forgotten about – it needs to be front of mind for every team, championed by the C-suite, and built into every new partnership, supplier relationship, hardware deployment, and back-end system change.
Achieving this is a complex, ongoing process that needs buy-in at the highest levels, and in every part of the business. Rigorous vendor risk management, penetration testing, and continuous development are all a part of an organisations’ defences to make the supply chain secure.
Businesses should also move to adapt a security posture that gives them the best possible chance to stay a step ahead of the attackers. That’s why it’s important to establish stringent security mechanisms and embed a process of continuous monitoring, auditing, and updating your systems and policies.
And, as artificial intelligence supercharges the abilities of would-be hackers, traditional methods will no longer be enough to counteract them This means security needs to be watertight wherever sensitive data is accessed, and defences must constantly evolve to keep pace with the rise of AI-enabled attacks.
Practical next steps
To create this new environment, raising employee awareness will be crucial. Regular employee training, phishing simulations, and incident response exercises can help to promote a security-first culture. Meanwhile, communicating wins, sharing lessons from incidents, and rewarding secure behaviour help reinforce positive habits and accountability.
But training employees to spot phishing email scams isn’t enough, organisations must implement phishing-resistant MFA, biometrics, hardware security keys and passkeys to provide the level of protection needed in this AI era.
And IT teams can help foster collaboration between IT, HR, legal, compliance, and operations teams. This ensures that security becomes everyone’s responsibility, and organizations are more likely to adopt secure behaviours and support risk mitigation strategies across departments
The reality is that cybercrime is now a cost of doing business. Like insurance or rent, it can be managed. But businesses must move away from reactive firefighting and begin treating cybersecurity as a proactive, strategic function. This means going beyond patching vulnerabilities and installing antivirus software and integrating cybersecurity into the very fabric of business operations.
