In 2025, high-profile, damaging cyber breachesย demonstratedย how attackers are successfully exploiting security vulnerabilities in supply chains. In fact,ย 43% of all UK businesses suffered a cyber-attack over the lastย year,ย includingย Jaguar Land Rover – who are still facing fallout – and the retailers M&S and Coop.ย
Yet only 14% of firms are on top of the potential risks faced by their immediate suppliers.ย And attackers are finding new ways in by usingย new technologiesย to exploit weak links in digital supply chains, manipulate identity systems, andย infiltrate through trusted vendors.ย ย
Itโsย clear that traditional frontlineย defencesย are no longer enough. The onus is now on UK businesses to build a robust security strategy which can stand in the age of AI-enabled attacks. The growing vulnerability of major businesses to cyberthreats stands toย showsย why frontline cyber is a strategic imperative.ย ย
The current state of playย ย
Businesses should be moving to ensure that their security strategy is up-to-date and effective.ย That’sย easier said than done, especially when businessesโ data is constantly on the move and often routed between any number of external partners and trusted-third party relationships.ย
Assessing and understanding risk is the first step to building an effective security strategy. For instance, sophisticated attackers often chose to target a less-secure partner,ย supplierย or seller. This might include mass campaignsย ofย phishing and malware attacks, to grab low hanging fruit – such as organizations with no security framework who provide a way in.ย ย
Having then gained accessย intoย a trusted partnerโs systems, attackers then act to infiltrate otherย organisationsย up-or-down stream. This can lead to exfiltration andย leaking ofย sensitive data by attackers who exploit the unwarranted privileges assigned to them.ย ย
And attackersย don’tย stay still โ their methods are constantly evolving.ย ย Using artificial intelligence, they can create sophisticated phishing emails, and deepfakes, often moving faster than many businessesโ governance processes and controls.ย ย ย
For instance,ย weโreย witnessingย the emergence of device code-phishing attacks which exploit authentication through device code flow for logging IoT devices into user accounts, bypassingย MFAย and similar security methods. Many of these devices were never designed for secure authentication, making them easy entry points for attackers.ย
Embedding security at every levelย
Noย organisationย can close every gap;ย thereโsย no such thing as an indestructible cybersecurity policy. Butย organisationsย have the best possible chance to stay ahead of attackers by adapting a security posture rigorous enough to counter the all-pervasive scale of these threats.ย ย
This means ensuring that security can no longer be seen as an insurance or a โnice-to-have’. Instead, it must be embedded as a core strategic priority, rather than an insurance policy.ย Organisationsย should start with embedding cybersecurity as a board-level priority.ย ย
Cybersecurityย shouldnโtย be farmed out to a siloed IT team and then forgotten about โโฏit needs to be front of mind for every team, championed by the C-suite, and built into every new partnership, supplier relationship, hardware deployment, and back-end system change.ย ย
Achieving this is a complex, ongoing process that needs buy-in at the highest levels, and in every part of the business. Rigorous vendor risk management, penetration testing, and continuous development are all a part of anย organisationsโย defencesย to make the supply chain secure.ย ย
Businesses should also move to adapt a security posture that gives them the best possible chance to stay a step ahead of the attackers.ย That’s why itโsย important toย establishย stringent security mechanisms andย embedย a process of continuous monitoring, auditing, and updating your systems and policies.ย ย
And, as artificial intelligence supercharges the abilities of would-be hackers, traditional methods will no longer be enough to counteract them This means security needs to be watertight wherever sensitive data is accessed, andย defencesย must constantly evolve to keep pace with the rise of AI-enabled attacks.ย ย
Practical next stepsย
To create thisย new environment, raising employee awareness will be crucial. Regular employee training, phishing simulations, and incident response exercises canย help toย promote a security-first culture. Meanwhile, communicating wins, sharing lessons from incidents, and rewarding secureย behaviourย help reinforce positive habits and accountability.ย
But training employees to spot phishing emailย scamsย isn’tย enough,ย organisationsย must implement phishing-resistant MFA, biometrics, hardware securityย keysย and passkeys to provide the level of protection needed in this AI era.ย ย
And IT teams can help foster collaboration between IT, HR, legal, compliance, and operations teams. This ensures that security becomes everyoneโs responsibility, and organizations are more likely to adopt secureย behavioursย and support risk mitigation strategies across departmentsย
The reality is that cybercrime is now a cost of doing business. Like insurance or rent, it can be managed. But businesses must move away from reactive firefighting and begin treating cybersecurity as a proactive, strategic function. This means going beyond patching vulnerabilities and installing antivirus software and integrating cybersecurity into the very fabric of business operations.ย ย
ย
