Hidden Risks In The The Global Supply Chain

Uploaded on 2025-03-24 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

The leading risk intelligence firm Bitsight has released its latest research report -  Under the Surface: Uncovering Cyber Risk in the Global Supply Chain.  The findings highlight how deeply interconnected businesses are, and how cyber risks in one part of the supply chain can have far-reaching effects.  

The report examines both global and UK-specific data, based on an analysis of 500,000 organisations, 40,000 products, and 12,000 providers, mapping over 61 million digital supply chain relationships

In particular, Bitsight found that UK supply chains are larger and more complex than the global average and the typical UK organisation uses 29.1 different providers and 81.6 different products; a 10% larger supply chain than the global average.  

Other key findings include: 

  • The larger and more complex a supply chain, the greater the attack surface, increasing opportunities for cybercriminals to infiltrate networks. 
  • Supply chain risks don’t just come from direct providers - they extend through multiple tiers, creating hidden vulnerabilities that businesses may not be aware of.  
  • Of particular concern is the the finding that the UK supply chain’s is highly reliant on Chinese companies which have links with the Chinese military with 30% of the UK supply chain relies on organisations designated by the US Department of Defense as “Chinese Military Companies.”  

The continued reliance on these providers underscores the challenge of securing the digital supply chain against foreign influence.

Even with increased scrutiny and regulatory efforts, Chinese state-linked firms maintain a significant foothold in UK industries, making it critical for organisations to assess their vendor relationships and mitigate potential risks.  

The UK’s most influential global providers aren’t just big-name technology firms - they include niche software vendors that quietly power essential industries. Bitsight research identifies “Hidden Pillars”, the lesser-known technology companies that serve large portions - or even the majority - of specific industries. A security failure at one of these companies could trigger cascading effects within and across industries.  

  • Customer count does not equal criticality, as some niche providers serve only a handful of companies yet support massive market share in industries like energy, finance, and logistics. 
  • Some of the most critical software and infrastructure providers operate with fewer than 50 employees, yet their technology is embedded in Fortune 500 companies and global enterprises. 

Bitsight assess that organisations that provide digital products and services often face far greater cybersecurity challenges than the businesses they serve. With larger attack surfaces, more complex vendor relationships, and increasing risk exposure, providers must take stronger measures to secure their own ecosystems. 

  • On average, providers use 2.5 times more products and have 10 times more internet-facing assets globally, making them more exposed to cyber threats. 
  • While providers outperform consumers in four of six security standards, including DMARC, SPF, DKIM, and DNSSEC, they lag behind in areas such as patch management, open ports, insecure systems, and botnet infections. 

Bitsight found that UK businesses exhibit better cybersecurity performance than their providers, however, there are always  going to be some providers that fail to achieve or maintain a good security posture. “Over the past year, we’ve seen several highly-visible security incidents that highlight how incidents in the digital supply chain can have a massive ripple effect across the global economy,” said Ben Edwards, Principal Research Scientist at Bitsight. 

“Even the most security-conscious companies are vulnerable to weaknesses in their supply chain. Organisations must continuously evaluate their third party vendors and suppliers and work proactively to close security gaps.” Edwards added.

Image: Ideogram

You Might Also Read:

Guidance Is Coming, But Hackers Aren’t Waiting:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Britain Plans To Use  AI To Run Public Services
Sign up for our FREE Weekly Newsletter »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Assure Technical

Assure Technical

Assure Technical offers a holistic approach to Technical Security. Our expertise and services span across the Physical, Cyber and Counter Surveillance domains.

Lantronix

Lantronix

Lantronix is a global provider of secure data access and management solutions for Internet of Things (IoT) and information technology assets.

Superscript

Superscript

Superscript (formerly Digital Risks) is an insurance broker for small businesses, sole-traders, landlords and high-growth tech firms. Our services include Cyber Liability insurance.

Adeptis Group

Adeptis Group

Adeptis are experts in cyber security recruitment, providing bespoke staffing solutions to safeguard your organisation against ever-changing cyber threats.

SecuriThings

SecuriThings

SecuriThings is a User and Entity Behavioral Analytics (UEBA) solution for IoT security.

HyTrust

HyTrust

HyTrust specialises in security, compliance and control software for virtualization and cloud environments.

Elastic

Elastic

Elastic is the world's leading software provider for making structured and unstructured data usable in real time for search, logging, security, and analytics use cases.

Miratech

Miratech

Miratech is a global IT services and consulting organization offering a full range of IT infrastructure solutions and services including cyber security.

Pareteum

Pareteum

Pareteum is a leading Global provider of mobile networking software and services. Our mission is to provide a single solution to the problem of fully enabling and securing the Mobile Cloud.

SafeLogic

SafeLogic

SafeLogic provides strong encryption products for solutions in mobile, server, Cloud, appliance, wearable, and IoT environments that are pursuing compliance to strict regulatory requirements.

MicroEJ

MicroEJ

MicroEJ is a software vendor of cost-driven solutions for embedded and IoT devices.

DeepView

DeepView

DeepView delivers a unified platform for managing risk on digital platforms. One interactive secure portal allowing employees to engage their networks securely and compliantly.

Cyber Dacians

Cyber Dacians

Cyber Dacians offers Information and Cyber Security Consulting Services. We help you to test the effectiveness of your security defenses and build a secure infrastructure.

Hackuity

Hackuity

Hackuity is a breakthrough technology solution that rethinks the way of managing IT vulnerabilities in enterprises.

KATIM

KATIM

KATIM is a leader in the development of innovative secure communication products and solutions for governments and businesses.

KnoTra Global

KnoTra Global

KnoTra Global is a next-generation Managed Service provider with a portfolio of services including Cybersecurity Solutions, Network Management, IT Leadership, and Day-to-Day Helpdesk and IT services.