Cascading risk: Protecting against supply chain attacks in a hostile threat landscape
"The assumption that cyberattacks affect single organisations no longer holds. Today, one point of failure can escalate into a cross-sector crisis."
Cyberattacks on major brands and critical supply chains are becoming more frequent and sophisticated. The UK has recently seen an influx of attacks in the retail sector, with victims including Co-op, Harrods, and most recently North Face and Cartier, and some are still experiencing the fallout.
A single breach at any point in shared digital infrastructure can disrupt many other organisations, with attackers deliberately targeting widely used software or service providers to maximise impact.
Part of this shift is being driven by the consequences organisations now face in the event of disruption. Regulatory frameworks such as the EU’s Digital Operational Resilience Act (DORA) and Network and Information Security Directive 2 (NIS2) are increasing the compliance burden on businesses.
While tougher regulations are extremely important, they can also have the unintended effect of making organisations more appealing to threat actors seeking leverage and financial gain.
The higher the operational and legal stakes of a disruption, the greater the pressure on organisations to respond swiftly, particularly when failure means breaching compliance requirements, with all the negative consequences that entails.
READ MORE: Marco Rubio was AI cloned: How can you avoid the same fate and stay safe from voice spoofing?
Last year’s attack on an NHS pathology provider serves as a strong example here, disrupting services for several months, and costing an estimated £32.7 million. In tightly regulated sectors, this sense of urgency increases the leverage available to threat actors, making it easier for them to pressure organisations into meeting their demands.
The vulnerabilities inherent in many supply chains are evident in the growing number of incidents where attackers compromise widely used management tools or platforms to gain broader access, where the appeal lies not only in financial gain but also in visibility.
Large-scale attacks that affect household names are more likely to make headlines, giving attackers the publicity they often seek. In this context, the most prominent and integrated players are seen as the most valuable targets and the prevailing assumption that cyberattacks are isolated incidents affecting single organisations no longer holds. Today, a single point of failure can rapidly escalate into a cross-sector crisis.
Looking at the most high-profile recent incidents, such as the M&S breach, media reports quoted the company’s CEO, who said threat actors had gained access to their networks via a “third party”. Weeks after the initial incident, the story continues to generate headlines, with M&S not expected to fully restore services until later this month, taking a £300 million hit to its profits and, in early June, presented with an “unprecedented” class action lawsuit.
Implementing a Minimum Viable Company strategy
In this context, organisations must not only strengthen their defences but also prepare for recovery by clearly defining which systems are essential to keep the business functioning.
Recovery speed is often determined not by the severity of the breach but by how well an organisation has prepared, with one of the most common failings being a lack of clarity around which systems and processes are most critical to restoring basic operations. This is where defining a Minimum Viable Company (MVC) becomes essential.
The MVC concept refers to the minimum set of systems and functions needed to maintain operational continuity. These will differ by organisation, but typically include core communications platforms, financial systems, and customer service infrastructure. Without a clear view of what to restore first, businesses can quickly become overwhelmed, particularly when decision-makers view every system as mission-critical and recovery plans lack appropriate prioritisation.
READ MORE: "The keyboard is a weapon of war": UK loads up offensive cyberwarfare capabilities
The problem is that many businesses only begin to consider their MVC requirements once a breach has occurred, by which point it is already too late. Establishing parameters in advance and regular testing are some of the most effective ways to reduce downtime and accelerate a return to business-as-usual.
The same principle applies at an individual level because it is consumers who frequently suffer the most immediate consequences of a major breach. In these situations, personal resilience becomes just as important, with enhanced security significantly reducing exposure risks. But, whether it’s a business or an individual at risk, resilience is about more than cybersecurity hygiene.
As the recent incidents in Spain and Portugal demonstrated, nationwide power outages affected chip-and-pin systems and left many people unable to make basic purchases. In these cases, carrying cash and having analogue fallbacks for essential services can make a big difference.
READ MORE: Can Elon Musk's Grok help to build Molotov cocktails? AI jailbreakers make incendiary claim
ust as businesses must define their MVC, individuals should ask themselves a simple question: what are the essential tools and processes I need to function if digital services are unavailable? For many of us, the answer may be more practical than technical.
In the most extreme cases, SolarWinds being the most infamous example, supply chain breaches have the potential to impact tens of thousands of organisations. But whoever the victims are, the cost is escalating at an alarming rate. According to Gartner, one estimate suggests that the impact of software supply chain attacks will grow from $46 billion in 2023 to $138 billion by 2031, reflecting the bottom line risks at play.
Organisations with tightly integrated digital supply chains should take note and prepare so that, should the worst case scenario happen, they can maintain continuous business, even amidst the crisis.
Darren Thomson is Field CTO EMEAI at Commvault
