Explore key findings from the "Every Link Matters: The State of Supply Chain Security 2025 – UK Edition" report. Learn why UK organisations face growing supply chain cyber threats, the limitations of traditional TPRM, and how collaborative defence strategies are crucial for resilience and regulatory compliance.
The digital landscape is evolving at an unprecedented pace, bringing with it both innovation and increasingly sophisticated threats. For organisations across the UK, one area stands out as an increasingly important threat vector: their corporate supply chains, i.e. the network of hundreds if not thousands of external service providers, suppliers and partners they rely on. Our recent data insights report, "Every Link Matters: The State of Supply Chain Security 2025 - UK Edition," dives deep into these evolving challenges, drawing on insights from over 500 cyber security and risk management professionals across the UK. The findings paint a clear picture: the threat is growing, traditional approaches are insufficient, and a new era of collaborative defence is not just beneficial, but essential.
Gone are the days when cyber defences could focus solely on an organisation's own perimeter. Today, the interconnected web of third, fourth, and even nth-party suppliers represents a vast and increasingly frequently exploited attack surface. The report highlights a significant escalation in these incidents. A striking 85% of UK cyber security professionals reported experiencing at least one cyber security incident within their supply chain in the past 12 months. Supply chain attacks are therefore no longer isolated phenomenons; they have become a systemic issue impacting organisations across every sector.
The implications of this extend far beyond data breaches. Supply chain attacks can cause widespread operational disruption and lasting reputational damage, as evidenced by the large number of high-profile incidents in recent years. This growing threat has resonated deeply within the security community: a significant 90% of surveyed UK cyber security professionals now list supply chain cyber incidents among their top three areas of concern for 2025.
If supply chain attacks are a leading concern, and if attacks are continuing to trend upwards, it naturally begs the question: are our current Third-Party Risk Management (TPRM) programmes truly equipped to keep us safe? The report suggests a challenging answer. While nearly all surveyed professionals (97.8%) acknowledge that TPRM is at least "somewhat effective," a concerning minority, just 37.2%, consider it "truly effective" at reducing supply chain cyber risk in 2025. This gap points to inherent flaws within traditional TPRM methodologies that prevent them from delivering the resilience organisations desperately need.
One of the most frequently cited shortcomings with TPRM is the inability to continuously monitor suppliers' internal security controls, identified by 37.8% of UK cyber security professionals as a major concern. Relying solely on periodic assessments leaves organisations blind to changes in their suppliers' security postures between reviews, creating critical windows of vulnerability. This static, often reactive approach struggles to keep pace with the dynamic nature of cyber threats. In essence, traditional TPRM, while foundational, is no longer sufficient on its own in today's fast-evolving landscape.
The complexity of modern digital supply chains means that risks are also no longer confined to direct third-party relationships. Vulnerabilities can lurk anywhere within an organisation's extended ecosystem, residing in fourth, fifth, or even nth-party suppliers. These deeper-tier dependencies, often invisible, can represent significant single points of failure that can trigger cascading disruptions across multiple organisations or even entire sectors if exploited by threat actors.
Our report reveals a concerning lack of visibility in this area. Only 26.8% of respondents reported having full visibility into all tiers of their extended supply chains. Crucially, a significant 70% of organisations currently cannot identify concentration risks—where multiple critical suppliers might rely heavily on the same deeper-tier provider.
Regulators are acutely aware of this blind spot. Bodies like the Bank of England (BOE), Financial Conduct Authority (FCA), and Prudential Regulation Authority (PRA), but also other regulators, are increasingly emphasising the need for firms to map critical services and identify deep supply chain dependencies through frameworks like the Operational Resilience Framework. The UK Government's Cyber Security Strategy also reinforces the importance of "visibility" as the foundation for accurate risk assessment and effective incident response. The message is clear: understanding and managing these extended supply chain ecosystems, including identifying concentration and systemic risks, is no longer optional—it's a regulatory and strategic imperative.
The good news is that the solution to many of these TPRM challenges lies in adopting a more collaborative approach. The report highlights that 34.6% of UK cyber security professionals regard the lack of collaboration and information sharing with industry peers as a key shortcoming. This indicates a recognition that no single organisation can secure its supply chain in isolation.
Risk Ledger champions this "Defend-as-One" ethos, transforming TPRM from a siloed, often reactive function into a proactive cyber defence discipline. By building a network of connected organisations, Risk Ledger enables secure, collaborative information sharing. This allows communities of organisations to:
For instance, the report showcases how a public sector community using Risk Ledger, despite cumulatively connecting to only 77 direct third-parties, collaboratively identified hundreds of deeper-tier dependencies and uncovered 191 potential concentration risks, with 14 of these being critical third-parties connected to at least 50% of community members. This concrete example demonstrates how collective intelligence transforms abstract risks into actionable insights, enabling faster responses and stronger sector-wide resilience.
The "Every Link Matters" report makes it clear: supply chain attacks are a persistent, systemic threat to UK organisations and critical infrastructure. Traditional TPRM, with its inherent limitations, is struggling to keep pace, leaving organisations exposed to hidden risks across extended supply chains. Regulators are pushing for greater visibility and accountability, recognising the interconnected nature of risk.
The path forward is through collaboration. By adopting a "Defend-as-One" approach, sharing intelligence, and leveraging platforms such as Risk Ledger built for collective defence, organisations can move beyond reactive measures to build truly resilient supply chains. This shared effort not only enhances security but also optimises resources, ensuring that every link in the chain is fortified.
To fully understand the evolving threat landscape and discover how a collaborative approach can revolutionise your supply chain security, we invite you to explore the full report.
You can download the full report "Every Link Matters: The State of Supply Chain Security 2025 - UK Edition" via the linkn below.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
