UtopianKnight Consultancy – James Griffiths

STRATEGIC | TECHNICAL | ADVISORY | AI | DEVELOPMENT | vCTO | CYBER | ICS & OT

, , , , , ,

Third and Fourth Party Supply Chain Risk

·

by

UtopianKnight

Third-party risk is now one of the biggest blind spots in UK cyber security. Most attacks still land through simple things like phishing and poor patching, but when something really disruptive happens, a supplier is often involved somewhere in the chain.

Government and NCSC-aligned data backs this up. The UK Cyber Security Breaches Survey 2025 shows that:

  • 43% of UK businesses had a cyber breach or attack in the last 12 months
  • This rises to 70% of medium and 74% of large businesses
  • Yet only 14% of businesses formally review cyber risks from their immediate suppliers, and just 7% look at their wider supply chain

At the same time, NCSC has reported a sharp rise in serious incidents hitting the UK economy, with 429 incidents handled between August 2024 and August 2025 and a 50% increase in those classed as “highly significant”, many linked to complex supply chains and smaller suppliers.

So, attackers are active, supply chains are clearly in play, and most organisations are not managing the risk in a structured way. That is the real gap.

This article sets out what third-party risk management actually means, what NCSC and government data tells us about the problem, and what practical options UK businesses have to protect themselves.

What is third-party risk management?

Third-party (or “supply chain”) risk management is the set of processes you use to:

  • Identify which suppliers can impact your security or resilience
  • Understand what they can access or break if compromised
  • Set minimum security requirements for them
  • Check they are meeting those requirements, continuously
  • React quickly when something goes wrong at their end

NCSC frames supply chain risk in simple terms. Your suppliers may:

  • Have remote access into your systems
  • Host or process your data
  • Develop or support the software or hardware you rely on
  • Provide critical services such as managed IT, cloud, or telecoms

If one of these organisations is compromised, the attacker can often pivot into your environment, disrupt your operations, or exfiltrate your data without touching your perimeter directly.

Third-party risk management is about closing that gap.

What the NCSC and UK data actually show

Breaches are common, supply chain oversight is not

The Cyber Security Breaches Survey 2025 is the key government dataset here. It shows:

  • 43% of UK businesses had at least one cyber breach or attack in the last 12 months
  • Medium (70%) and large (74%) businesses are hit far more often than the average
  • Only 14% of businesses formally review cyber risks from immediate suppliers
  • Only 7% look at their wider supply chain

When you split this by size:

  • Micro businesses: 11% review immediate suppliers, 6% wider chain
  • Small businesses: 21% immediate, 11% wider
  • Medium businesses: 32% immediate, 15% wider
  • Large businesses: 45% immediate, 25% wider

In other words, even at the top of the market, more than half of large organisations are not formally reviewing cyber risk from their immediate suppliers, and three-quarters are not reviewing the wider supply chain at all.

The same survey notes that there is “no clear long-term trend” of improvement in supply chain risk reviews, despite rising awareness of the issue.

Serious incidents increasingly involve supply chains

NCSC’s Annual Review for 2023 highlighted rising numbers of nationally significant incidents, including several where the impact flowed through supply chains and critical infrastructure. An analysis of that review notes:

  • NCSC received 2,005 incident reports in the review period
  • 371 were serious enough for the NCSC Incident Management team
  • 62 were nationally significant
  • 4 of these were among the most severe incidents NCSC has ever handled, with major impact on critical infrastructure and strong supply chain links

In more recent briefings NCSC has warned of a further increase in highly significant incidents targeting sectors such as retail, manufacturing, and logistics, again with smaller suppliers identified as weak points.

This is why NCSC keeps repeating a simple line: a chain is only as strong as its weakest link.

Why third parties are so attractive to attackers

Attackers are rational. They pick routes that are:

  • Easy to exploit
  • Hard to monitor
  • Likely to be trusted by the target

Third parties tick all three.

Typical patterns include:

  1. Compromised software updates Malicious code is injected into a widely used software or update mechanism. When customers apply the update, they pull the attacker inside their environment. The SolarWinds Orion compromise, referenced by NCSC, is the flagship example.
  2. Compromised managed service providers (MSPs/MSSPs) An MSP has privileged access into many client networks. If the MSP is compromised, every customer is now in play.
  3. Third-party data stores and aggregators A data processor or aggregator hosts large amounts of personal or commercial data. If they are breached, every data controller they serve takes a hit. NCSC specifically warns about attacks running through “third party data storers”.
  4. SaaS and supply-side identity abuse Vendors provide SSO, identity, collaboration, or storage. Weak controls on their side give attackers paths into customer data without going near the customer’s own perimeter.
  5. Fourth-party and “shadow” suppliers Your supplier may subcontract part of the service, or rely on their own vendors. If you have not mapped this, you are exposed to entities you do not even know exist.

All of this explains the disconnect we see in the statistics. Attackers are increasingly using supply chains, but only a small minority of organisations are managing those risks in a systematic way.

NCSC’s core guidance on supply chain security

NCSC’s supply chain security collection sets out the main principles. At a high level it tells organisations to:

Understand your supply chain

  • Identify all suppliers that have access to your networks, systems, or data
  • Include cloud, SaaS, MSPs, telecoms, and key operational suppliers

Set clear security expectations

  • Define what “good” looks like for supplier security
  • Use recognised baselines such as Cyber Essentials or ISO 27001 where appropriate

Check suppliers meet those expectations

  • Ask structured questions
  • Review evidence, certificates, and independent audits
  • Treat high-risk suppliers more strictly than low-risk ones

Build security into contracts and relationships

  • Include security and incident-reporting clauses
  • Set expectations for access control, data handling, and change management

Monitor and review

  • Review suppliers regularly, not just during onboarding
  • Remediate gaps, re-assess if something changes, and consider exit options

The ICO reinforces this from a data protection angle, pointing to NCSC guidance on “how to assess your supply chain” and emphasising that you remain responsible for personal data even when processors are involved.

How businesses can protect themselves in practice

You do not need a huge team or a complex tool to get started. You need a simple but disciplined process.

Step 1: Map your critical suppliers

Create a single view of suppliers that can hurt you if breached.

Focus on:

  • Those with remote or administrative access to your systems
  • Those processing or storing personal data or sensitive commercial data
  • Those providing business-critical services where downtime would be serious

Keep it simple at first. A spreadsheet is fine if that is what you have.

For each supplier, record:

  • What they do for you
  • What systems and data they touch
  • Who owns the relationship internally
  • What contract you have in place
  • Whether they have any existing security certifications

Step 2: Tier suppliers by risk

Not all suppliers need the same level of scrutiny.

Define 3 tiers:

  • Tier 1 – Critical Direct network access, large volumes of sensitive data, or vital to operations.
  • Tier 2 – Important Some data or system access, but failure would not be catastrophic.
  • Tier 3 – Low-risk No system access and little to no sensitive data.

Apply this consistently. This will drive how deep you go in due diligence and ongoing checks.

Step 3: Set minimum security baselines

Decide what “good enough” looks like for each tier. In the UK context, you have a few practical options:

  • Cyber Essentials / Cyber Essentials Plus NCSC-backed scheme covering core technical controls. IASME and NCSC explicitly highlight its role in securing supply chains. Requiring CE or CE+ for key suppliers gives you a clear, verifiable baseline.
  • ISO 27001 For larger or higher-risk suppliers, ISO 27001 certification can provide broader assurance of an information security management system.
  • NCSC “10 Steps to Cyber Security” You can map your supplier questions to these steps, so you are not inventing your own framework.

At a minimum, your tiered baselines should cover:

  • Patch management and vulnerability management
  • Access control and MFA
  • Network security and segmentation
  • Backup and recovery
  • Logging and monitoring
  • Incident response and reporting timescales

Step 4: Run structured due diligence

Move away from ad-hoc emails. Standardise.

For each Tier 1 and Tier 2 supplier:

  1. Send a focused security questionnaire Base it on NCSC guidance and your baselines, not on a 300-question monster. Capture the essentials: MFA, patch SLAs, data locations, sub-processor use, incident history.
  2. Request evidence where it matters
  3. Score and document Record answers, gaps, and agreed remediation actions. Update the risk tier if you learn something significant.

For lower-risk suppliers, you can fold this into the procurement process as a lighter-weight checklist.

Step 5: Build security into contracts

Contracts are your lever when things go wrong.

NCSC and ICO both stress that security requirements and incident obligations should be written into supplier contracts.

For Tier 1 suppliers, your contracts should cover at least:

  • Security baselines they must maintain
  • Requirement to notify you of incidents within a defined time
  • Rights to information and cooperation during incidents
  • Restrictions on sub-processors and data transfers
  • Termination rights if they fail to meet critical security obligations

For existing suppliers, you can phase these in at renewal.

Step 6: Monitor, not just “set and forget”

One-time questionnaires are not enough. The Cyber Security Breaches Survey shows that policy reviews are common, but structured reviews of supplier risks are rare and inconsistent.

You can improve on that with a simple model:

  • Annual reviews for Tier 1 and Tier 2 suppliers
  • Trigger reviews after major incidents or material changes (mergers, new services, new regions)
  • Basic cyber hygiene checks, for example:

If you have budget, third-party risk tools and attack-surface monitoring platforms can automate some of this, but they are not a substitute for a relationship and clear accountability.

Step 7: Plan for when a supplier is compromised

Assume this will happen at some point. NCSC’s incident data makes that clear.

Your incident response plan should explicitly cover:

  • How you will find out about a supplier breach
  • Who owns the response internally
  • How you will quickly identify affected systems and data
  • When and how you will isolate or disable supplier access
  • How you will communicate with customers and regulators if needed

Run exercises that simulate a supplier compromise, not just an internal phishing attack. NCSC strongly encourages exercises as part of building organisational resilience.

Options available to UK businesses

Different organisations will land in different places depending on their size and risk profile. Broadly, you have four routes.

Option 1: Internal third-party risk framework

You build and run the process yourself.

Suitable when:

  • You have at least some internal security expertise
  • Your supplier list is not enormous
  • You are comfortable with a pragmatic, spreadsheet-driven start

Key tasks:

  • Create the supplier inventory and tiers
  • Design baseline requirements and questionnaires aligned to NCSC guidance
  • Train procurement, legal, and business owners in how to apply them

Upside: maximum control and tailoring. Downside: needs discipline to keep up to date.

Option 2: Use NCSC-aligned schemes as hard requirements

For many UK organisations, the simplest approach is:

  • Require Cyber Essentials or CE+ for key suppliers
  • Prioritise suppliers that can evidence ISO 27001 or equivalent
  • Prefer UK or EU data hosting for sensitive workloads, to simplify regulatory risk

This keeps your due diligence lighter and more objective. You rely on independent audits rather than trying to re-audit suppliers yourself.

Upside: faster onboarding, clearer expectations. Downside: some niche or overseas suppliers may not have these schemes, so you still need a fallback process.

Option 3: TPRM platforms and continuous monitoring

If you have:

  • Hundreds of suppliers
  • Regulated obligations (finance, critical national infrastructure, health, etc.)
  • Limited internal capacity

Then a third-party risk management (TPRM) platform may be justified. These tools usually:

  • Store your supplier inventory
  • Automate questionnaires and evidence collection
  • Pull in external security signals (e.g. internet-facing misconfigurations)
  • Provide dashboards and workflows

They do not remove the need for judgement, but they reduce the manual admin.

Option 4: Partner with a managed security or governance provider

Some managed security service providers (MSSPs) and GRC consultancies offer supply chain risk services, often aligned to NCSC guidance and UK-specific regulations.

Typical services include:

  • Designing your third-party risk framework
  • Running assessments on your behalf
  • Supporting contract negotiation and remediation plans
  • Integrating supplier risk into your broader cyber governance

If you go down this route, treat the MSSP itself as a Tier 1 supplier and apply the same rigour to them as to any other critical third party.

A simple 90-day plan

If you are starting from a low base, this is a realistic 90-day approach.

Days 1–30: Get visibility

  • Build an initial list of suppliers with system access or sensitive data
  • Classify them into 3 tiers based on impact
  • Identify obvious gaps such as missing contracts or unknown sub-processors

Days 31–60: Set standards

  • Define security baselines per tier, using Cyber Essentials and NCSC 10 Steps as anchors
  • Draft a short, focused questionnaire for Tier 1 and 2 suppliers
  • Agree contract templates or addenda with legal that include security clauses and incident obligations

Days 61–90: Execute

  • Issue questionnaires to Tier 1 suppliers, then Tier 2
  • Log responses, score risk, and agree remediation actions where needed
  • Update contracts at renewal, prioritising Tier 1
  • Add supplier incident scenarios into your next incident response exercise

By the end of this, you will not have eliminated third-party risk. You will, however, have moved from “we don’t really know” to “we can explain our major supplier risks, what we expect from them, and what we are doing about it”. For most boards and regulators, that is the difference between negligence and a defensible position.

Bottom line

The numbers are clear:

  • Cyber attacks affect over four in ten UK businesses every year, and many of the most serious incidents involve supply chains in some way.
  • Yet only around one in seven businesses formally review cyber risks from their immediate suppliers, and fewer still look at their wider chains.

NCSC’s message is simple: you cannot outsource accountability. You can and should delegate services, but not risk.

Treat third-party risk management as a core part of your security programme, not an afterthought in procurement. Start small if you have to but start. The attackers already have.