Hidden Risks In The The Global Supply Chain

Uploaded on 2025-03-24 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

The leading risk intelligence firm Bitsight has released its latest research report -  Under the Surface: Uncovering Cyber Risk in the Global Supply Chain.  The findings highlight how deeply interconnected businesses are, and how cyber risks in one part of the supply chain can have far-reaching effects.  

The report examines both global and UK-specific data, based on an analysis of 500,000 organisations, 40,000 products, and 12,000 providers, mapping over 61 million digital supply chain relationships

In particular, Bitsight found that UK supply chains are larger and more complex than the global average and the typical UK organisation uses 29.1 different providers and 81.6 different products; a 10% larger supply chain than the global average.  

Other key findings include: 

  • The larger and more complex a supply chain, the greater the attack surface, increasing opportunities for cybercriminals to infiltrate networks. 
  • Supply chain risks don’t just come from direct providers - they extend through multiple tiers, creating hidden vulnerabilities that businesses may not be aware of.  
  • Of particular concern is the the finding that the UK supply chain’s is highly reliant on Chinese companies which have links with the Chinese military with 30% of the UK supply chain relies on organisations designated by the US Department of Defense as “Chinese Military Companies.”  

The continued reliance on these providers underscores the challenge of securing the digital supply chain against foreign influence.

Even with increased scrutiny and regulatory efforts, Chinese state-linked firms maintain a significant foothold in UK industries, making it critical for organisations to assess their vendor relationships and mitigate potential risks.  

The UK’s most influential global providers aren’t just big-name technology firms - they include niche software vendors that quietly power essential industries. Bitsight research identifies “Hidden Pillars”, the lesser-known technology companies that serve large portions - or even the majority - of specific industries. A security failure at one of these companies could trigger cascading effects within and across industries.  

  • Customer count does not equal criticality, as some niche providers serve only a handful of companies yet support massive market share in industries like energy, finance, and logistics. 
  • Some of the most critical software and infrastructure providers operate with fewer than 50 employees, yet their technology is embedded in Fortune 500 companies and global enterprises. 

Bitsight assess that organisations that provide digital products and services often face far greater cybersecurity challenges than the businesses they serve. With larger attack surfaces, more complex vendor relationships, and increasing risk exposure, providers must take stronger measures to secure their own ecosystems. 

  • On average, providers use 2.5 times more products and have 10 times more internet-facing assets globally, making them more exposed to cyber threats. 
  • While providers outperform consumers in four of six security standards, including DMARC, SPF, DKIM, and DNSSEC, they lag behind in areas such as patch management, open ports, insecure systems, and botnet infections. 

Bitsight found that UK businesses exhibit better cybersecurity performance than their providers, however, there are always  going to be some providers that fail to achieve or maintain a good security posture. “Over the past year, we’ve seen several highly-visible security incidents that highlight how incidents in the digital supply chain can have a massive ripple effect across the global economy,” said Ben Edwards, Principal Research Scientist at Bitsight. 

“Even the most security-conscious companies are vulnerable to weaknesses in their supply chain. Organisations must continuously evaluate their third party vendors and suppliers and work proactively to close security gaps.” Edwards added.

Image: Ideogram

You Might Also Read:

Guidance Is Coming, But Hackers Aren’t Waiting:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Britain Plans To Use  AI To Run Public Services
Sign up for our FREE Weekly Newsletter »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Government Communications Headquarters (GCHQ) - UK

Government Communications Headquarters (GCHQ) - UK

GCHQ defends Government systems from cyber threat, provide support to the Armed Forces and strive to keep the public safe, in real life and online.

CyberSift

CyberSift

CyberSift is a cyber security provider. We develop threat detection software which needs no infrastructure changes as it integrates with almost any security tool.

Mnemonica

Mnemonica

Mnemonica specializes in providing data protection system, information security compliance solutions, cloud and managed services.

IXDen

IXDen

IXDen provides a novel software-based approach to OT systems protection, covering Industrial IoT cybersecurity and sensor data integrity.

CoursesOnline

CoursesOnline

CoursesOnline.co.uk is a database listing IT security courses from providers across the UK.

eCentre@LindenPointe

eCentre@LindenPointe

The eCenter@LindenPointe provides assistance to the development, management and promotion of STEM (Science, Technology, Engineering, Mathematics) related business ventures.

Support Link Technologies (SLT)

Support Link Technologies (SLT)

Support Link Technologies are an IT Solutions Company committed to achieving customer satisfaction through excellent customer service.

Arctic Group

Arctic Group

Arctic Group is a Swedish service provider focusing on cybersecurity, integration services and deployment of software development tools.

Cranium

Cranium

AI is being implemented into every business process, but nobody knows whether their AI is secure. Our mission is to deliver security and trust to the AI revolution.

Walacor

Walacor

Walacor’s secure data platform represents the next generation of secure data and blockchain storage with a trust-first approach that revolutionizes enterprise data, and database management systems.

AKIPS

AKIPS

AKIPS develops the world's most scalable network and infrastructure monitoring software, delivered as a turn-key software appliance.

BuddoBot

BuddoBot

BuddoBot has been a pioneering force in cybersecurity and information technology since 2008.

Baselime

Baselime

Baselime, the cloud-native observability platform. Resolve issues in your cloud application before they become problems.

Click Studios

Click Studios

Click Studios is an Agile software development company specialising in the development of a secure Enterprise Password Management solution called Passwordstate.

The Missing Link

The Missing Link

Whether your requirements are large or small, The Missing Link have you covered with our core offerings including IT & Cloud, Cyber Security and Automation.

Synergetika

Synergetika

Synergetika is a leading pure-play Privileged Access Management (PAM) consultancy and systems integrator.