Achieving Operational Resilience Against Supply Chain Attacks Through Collaboration

“I had no idea” is the last thing anyone wants to utter when explaining to senior executives or regulators how a cyber incident with a critical supplier disrupted your organisation’s critical business function.

Operational resilience is an increasing priority for organisations and regulators, with supply chain security as a key focus. Today’s supply chains are highly complex and interdependent, with organisations dependent on third party suppliers to provide critical services. Those suppliers rely on their own suppliers, and so on. This creates the need to understand risks beyond direct third parties, extending to fourth, fifth, and nth parties. Every link is important and it is important to gain visibility of all the links to understand the potential cascading impact an incident may have on your operations.

Regulators recognise how suppliers can represent systemic risks, especially for sectors like finance and critical national infrastructure, where an incident could lead to a domino effect impacting an entire sector. The UK government is addressing these concerns as it relates to government services through initiatives such as the UK Government Cyber Security Strategy and the upcoming Cyber Security and Resilience Bill, which will introduce supply chain security requirements to enhance public sector resilience.

Organisations must gain visibility beyond immediate suppliers and assess risks across their entire supply chain. By identifying hidden vulnerabilities, they can implement mitigation strategies or determine whether risks align with their appetite. However, this is a resource-intensive challenge—especially for public sector bodies operating under budget constraints.

Traditional Third-Party Risk Management (TPRM) has fundamental limitations. It is time-consuming, resource-heavy, and often reliant on manually completed supplier questionnaires, making it difficult to identify concentration risks beyond third parties. Additionally, TPRM is typically conducted in silos, preventing organisations from sharing intelligence and leading to inefficiencies and duplicated efforts.

A collaborative approach can address these challenges by acting as a force multiplier for public sector bodies. By working together, organisations can map risks across a shared supply chain, leveraging collective resources to uncover systemic risks that would be difficult to detect individually.

We are working to foster communities within the public sector to leverage their collective resources by providing them with the necessary insights to identify concentration risks that may have only been possible with significantly more funding.

In one such community, we brought together ten UK Councils where they can view risks raised against specific suppliers by their peers, discuss best practices to mitigate these risks, and collaboratively engage with suppliers to address these risks. Moreover, they will be able to collaborate on supply chain attacks as they occur, significantly improving their access to up-to-date information from suppliers to determine the extent they may be exposed to any attack or disruption. Finally, by overlaying each of their supply chain maps together, they are able to have visibility across the entire supply chain, and identify potential concentration risk that may pose a threat to the entire community, that may not have been known if this had been done in isolation.

The collaborative approach offers significant advantages since Councils often use the same suppliers. This shared oversight ensures multiple entities are monitoring each supplier while eliminating duplicate efforts, ultimately enabling both collective assurance and unified risk management.

This article was originally published by FUTURESCOT.