By Josh Neame, Chief Technology Officer at BlueFort Security
April 2025 has been quite a month. The ‘on-again, off-again’ raft of trade tariffs sweeping across the world has been chaotic to say the least or, for those less optimistic, a “tearing up” of the Old World Order that threatens to “lay waste to the globalised, market-based world trading order”. I won’t comment on the geopolitical aspects of that conversation but recent events have got me thinking about supply chains and how interconnectivity – both nationally and across borders – is an essential part of modern business.
I doubt I’m alone in this. In boardrooms around the world, there will be conversations aplenty about manufacturing locations, expanding distribution and working with new suppliers that will spawn an assortment of supply chain changes and new third-party supplier relationships for many organisations.
But while third-party suppliers play a fundamental role in business operations, they also introduce significant risks to organisations, from cybersecurity threats to regulatory non-compliance and operational disruptions. Third-party risk management (TPRM) has therefore become far more than a regulatory requirement or ‘tick box’ security exercise – it’s a strategic necessity and a cornerstone of operational resilience that every organisation needs to be prioritising.
Growing Risks In The Supply Chain
The risks associated with supply chain security breaches have become increasingly apparent over the last few years, with several high-profile incidents highlighting both the scope and impact of attacks. The most infamous attack – which arguably put third-party supply chain security on the global stage in 2019 – compromised more than 18,000 SolarWinds customers via a malicious software update. By infiltrating the third-party supplier system, the attackers were able to use the company’s customer base as a distribution network to inject malicious code into thousands of high-profile organisations with just a single product update.
Those organisations affected by the SolarWinds attack ranged from tightly controlled government agencies and departments to technology giants and leading international consultancies. Shortly afterwards, IronNet surveyed IT security decision makers across the United States, United Kingdom and Singapore for its 2021 Cybersecurity Impact Report. It found that 85% of respondents had been impacted in some way by the SolarWinds attack – a staggering figure for any single security breach – with almost a third citing the impact of the attack as significant and just 15% saying they felt the impact was small. What’s more, on average the impact of the breach cost companies 11% of their annual revenue – or just over $12m.
Perhaps the most unsurprising statistic from the IronNet survey was that 90% of companies were re-evaluating their third-party supply chain security post-attack, and yet supply-chain attacks remain a persistent challenge for organisations. In June last year, the Synnovis breach caused significant disruption to frontline care across South East London, demonstrating the ongoing challenge of third-party supply chain security facing the NHS. For organisations operating in critical national infrastructure (CNI) areas like healthcare and other public sector bodies, the third-party supply chain now represents one of the most targeted and effective ways for an attacker to gain initial access. After all, if a supply chain attack can breach the Pentagon (as SolarWinds did) it’s safe to say very few others would be impervious.
The IBM 2024 Cost of a Data Breach Report revealed that a third-party supply chain breach was one of the top three factors that amplified the average cost of a data breach. One of the reasons behind this undoubtedly is the breadth of impact third-party supply chain breaches can have. By definition, an organisation does not directly need to be affected by the breach to be impacted. Take yet another recent high-profile example – the MOVEit breach – which involved a zero-day vulnerability within Progress Software’s secure file-transfer service that became one of the most significant and far-reaching cyber attacks of 2023. Organisations like Colorado State University “revealed vast and duplicative exposure” to the data breach, despite not directly using the file-transfer tool – the organisation’s data was exposed by six of its third-party vendors.
An Increasingly Regulated Environment
In response to the emerging challenge of third-party supply chain breaches, the regulatory environment is increasingly focused on ensuring organisations are continuously monitoring and closing security gaps in their supply chains. Key examples of this include:
Cyber Assessment Framework (CAF)
A high-level framework developed by the National Cyber Security Centre (NCSC) to help organisations both achieve and demonstrate cyber resilience, CAF focus on organisations subject to the Network and Information (NIS) Regulations, those within the UK’s critical national infrastructure (CNI), and those managing cyber risks related to essential services and public safety. Originally designed to ensure the security of CNI such as utilities (gas, water etc.) in the UK, CAF has evolved to cover the NHS as well as many other organisations operating in areas such as manufacturing, financial services, and construction.
Rather than providing a prescriptive list of point-in-time requirements, CAF focuses on objectives, principles, outcomes, and indicators of good practice – both for organisations to conduct self-assessments and for independent regulators to assess. This requires organisations to implement appropriate organisational structures, policies, and processes to visualise, understand, monitor and control security risks, as well as minimise the impact of cybersecurity events. TPRM is a fundamental aspect of CAF, and any organisation subject to CAF must achieve its principles for both its own organisation and its external suppliers.
Cyber Essentials
Cyber Essentials is a Government-backed scheme that aims to help organisations protect themselves against the most common cyberattacks and demonstrate their commitment to cybersecurity. With two levels of certification – Cyber Essentials and Cyber Essentials Plus – the scheme provides a range of support for all sizes of organisation. As a self-assessment scheme, organisations are required to minimise common vulnerabilities to basic attacks, and provide mitigating steps to some of the most common cybersecurity threats to be accredited. Cyber Essentials Plus includes hands-on technical verification and provides a more robust framework for developing an organisation’s cyber security posture.
Certification can also open new markets, help win new tenders, and fulfil supply chain requirements from primes, many of whom are now requiring Cyber Essentials accreditation from third-party vendors. In October 2024, a joint statement between the Department for Science, Innovation and Technology (DSIT) and the NCSC announced support for a group of the UK’s leading financial institutions including Barclays, Lloyds Banking Group, Nationwide, NatWest, Santander UK and TSB, in an expansion of Cyber Essentials requirements for the organisations’ supply chains. Many large organisations are now requiring suppliers to be Cyber Essentials certified and we can expect this trend to continue.
Digital Operational Resilience Act (DORA)
Introduced by the European Union (EU) in January 2025, DORA is a regulation specifically focused on strengthening the digital resilience of financial organisations. The act covers organisations operating in the financial sector, from insurance companies to banks, as well as third-party ICT service providers. One of the primary objectives of the act was to address the risks associated with digital supply chains in the critical sector, recognising that these often cross borders. Organisations subject to DORA are required to assess third-party supplier risk, exchange intelligence, and demonstrate ongoing monitoring of the supply chain. In alignment with many new and emerging regulations, DORA prioritises demonstration – encouraging ongoing monitoring and consistent improvement.
Cyber Security and Resilience Bill
The Government is currently updating the UK’s core cybersecurity legislation – the Network Information Systems Regulations 2018 – recently published a policy statement offering more detail on its planned changes to the Bill. While we do not yet know the final structure of the upcoming legislation, it’s clear that the legislation will bring more organisations within scope of the NIS regulations, including managed service providers (MSPs), designated critical suppliers, and data centre operators, and will enhance requirements around supply-chain risk management.
Supply Chain Risk Management (And A Free Third-Party Risk Assessment!)
For any organisation subject to regulations mandating supply chain risk management, effective TPRM is an essential exercise. However, even those organisations currently not within scope of any of these regulations, TPRM is an important practice in safeguarding the organisation from vulnerabilities in the supply chain that present a risk to data security and operational integrity.
Comprehensive TPRM covers:
- Cybersecurity risks – such as unpatched vulnerabilities or inadequate security controls.
- Compliance risks – for example non-compliance with data regulations such as GDPR.
- Operational risks – which have the potential to disrupt the ongoing operations of the organisation or impact mission-critical service areas.
In conjunction with our partner Orpheus, BlueFort offers a free third-party risk assessment for up to three suppliers to help companies begin their journey to a comprehensive TPRM framework. Utilising the Orpheus cloud-based SaaS platform, BlueFort provides a full risk assessment for the suppliers that visualises how those suppliers look to a potential attacker on the outside world (including any references on the dark web), identifies the presence of any security gaps, and assesses the security posture of the organisation.
BlueFort presents this in an actionable and no-obligation TPRM report which includes detailed risk assessment scores, analysis, and recommendations for improving the suppliers’ security posture. In our experience, these reports stimulate constructive discussions and dialogue with third-party vendors and lead to significant improvement across your supply chain.
Tech Talk Tuesday: Third-Party Supply Chain Risk Management
This type of TPRM is the first step in going beyond compliance and developing a proactive risk management strategy that will effectively minimise supply-chain risk for your organisation. If you would like to learn more about BlueFort’s free third-party risk assessment and how this can support you in building a comprehensive TPRM process, join me on my next ‘Tech Talk Tuesday’ webinar on Tuesday 29th April at 2:00pm.
This concise and practical webinar will explore why third-party supply-chain risk management is critical, and will discuss how organisations can identify, assess, and mitigate risks associated with their suppliers including:
- What third-party supply chain risk management is, and how you can understand the risks suppliers pose, and why proactive management is essential.
- Rising risks across industries such as financial and insurance services, healthcare, and critical infrastructure sectors.
- How you can go beyond compliance to build a resilient supply chain, and establish a proactive risk management strategy.
- Best practices for risk mitigation and how organisations can assess, monitor, and manage supplier risk effectively.
- The future of third-party risk management with emerging trends, technologies, and strategies shaping supply-chain security.
Register here to join me as we discuss how businesses can strengthen their risk management framework and build a more secure, resilient, and compliant supply chain.
