In an increasingly interconnected digital world, the strength of your cyber security is only as robust as the weakest link in your supply chain. Recent events have once again brought this reality into sharp focus—most notably, the cyber attacks on UK retail giant Marks & Spencer and global sportswear brand Adidas.

According to the Financial Times, Marks & Spencer attributed its breach to a supplier vulnerability, which is expected to cost the company approximately £300 million in operating profit for the 2025/26 financial year.

Just weeks later, Adidas disclosed that a third-party customer service provider had been breached, exposing customer data from individuals who contacted Adidas support centres in Turkey and South Korea in 2024 or earlier.

The compromised data included names, email addresses, phone numbers, and the content of customer service messages.

These incidents underscore a critical truth: even the most sophisticated internal defences can be bypassed if third-party partners are not held to the same security standards.

Supply chain attacks occur when cybercriminals infiltrate an organisation by targeting its suppliers, vendors, or service providers. These attacks exploit the trust and access granted to third parties, allowing malicious actors to bypass perimeter defences and gain entry to sensitive systems.

As outlined in a recent article by SentinelOne, these attacks can be software-based—injecting malicious code into updates or libraries—or hardware-based, compromising devices during manufacturing. The infamous SolarWinds breach is a textbook example, where attackers inserted a backdoor into a software update, affecting thousands of organisations globally.

Several factors make supply chains attractive targets:

• Weak Security Controls: Many vendors lack robust cyber defences, making them easier to compromise.
• Lack of Visibility: Organisations often have limited insight into their suppliers’ security postures.
• Complexity and Scale: The more vendors you work with, the larger your attack surface becomes.
• Trust Exploitation: Once inside, attackers can move laterally across networks, often undetected.

A recent article from Calcalist Tech highlights how attackers are increasingly targeting the “soft underbelly” of organisations—third-party providers who may not be subject to the same rigorous security protocols. In fact, 62% of network intrusions now originate from third-party sources, with financial impacts exceeding those of direct breaches due to reputational damage and business disruption.

Mitigating supply chain risk requires a multi-layered approach:

1. Vendor Risk Assessments: Regularly evaluate the security posture of all third-party partners.
2. Zero Trust Architecture: Never assume trust—verify every user, device, and connection.
3. Continuous Monitoring: Use tools that provide real-time visibility into third-party activity.
4. Contractual Security Clauses: Ensure vendors are contractually obligated to meet specific security standards.
5. Incident Response Planning: Include third-party breach scenarios in your response playbooks.

At Stiperstone, we’ve seen first hand how devastating supply chain attacks can be—not just in terms of financial loss, but in eroding customer trust and operational resilience.

If you’re unsure about the security of your own supply chain, don’t wait for a breach to find out. Contact Stiperstone today for expert guidance on securing your digital ecosystem. Our team can help you assess your current risks, implement best practices, and build a resilient supply chain that supports—not threatens—your business goals.