Skip to main content

Your business is only as secure as the weakest link in your supply chain. In the last 12 months, 65% of medium/large and 42% of micro/small businesses identified at least one cyber breach or attack. Whilst many occurred through in-house errors, due to an increasingly digitised environment and the reliance on third-party vendors some were inevitably a result of security issues in the company’s supply chain.

Supply chain attacks can affect your company in many ways. Not only your operational performance (for instance the NHS had to cancel operations and appointments when they were hit by a ransomware attack back in 2017), but also your wider reputation. Attacks can also lead to significant long-term financial problems, caused by legal expenses or the loss of customers.

How does an attack occur?

A supply chain attack seeks to damage a business or organisation by targeting a less-secure element, such as a product, service or system, in its supply network. There are sophisticated ways for cyber attacks to access these elements, but often it is obtained through simple means. If a device lacks firewalls, has unsecured default configurations, out-of-date malware protection, lapsed software updates, and open IT admin and access rights, then it creates a situation where the system is vulnerable to attacks.


For instance, in 2013 the US retailer Target was hit by one of the largest data breaches in the history of the retail industry. Around 40 million customer’s credit and debit card details became susceptible to fraud after malware was introduced into the POS system. It is believed to have been introduced thanks to failings in the IT system of one of their heating, ventilation and air conditioning contractors. It directly impacted Target’s profit, which fell more than 40% in the quarter after the attack.

Further real-world examples of supply chain attacks can be found here.


So how can you help safeguard your supply chain?

The National Cyber Security Centre suggests that all companies observe the following guidelines:


1.   Understand the risks:

      –   Understand what needs to be protected, and why

–   Know who your suppliers are, and build an understanding of what their security looks like

–   Understand the security risk posed by your supply chain


2.   Establish control:

      –   Communicate your view of security needs to your suppliers

–   Set and communicate minimum security requirements to your suppliers


3.   Check your arrangements:

      –   Build assurance activities into your supply chain management



4.   Continuous improvement:

      –   Encourage the continuous improvement of security within your supply chain

–   Build trust with suppliers


However, for companies that do not have the resources available to work through these guidelines and put together a full risk management policy, there are a couple of quick ways to see if your potential vendors are aware of their security responsibilities:



Check for Cyber Essentials. This simple, but effective UK government scheme helps organisations to protect a whole range of the most common cyber attacks. In particular, the focus is on protecting a company’s IT infrastructure from attacks that use widely available tools and demand little skill, such as hacking, phishing, and password guessing.


Check for ISO27001. This is an international standard for companies that provides the policies and procedures for keeping its IT assets secure. ISO27001 involves a rigorous risk management strategy that identifies problems that may put a company’s data at risk, and ensuring there are appropriate processes and procedures in place to prevent problems from occurring.

Metafour takes its cybersecurity responsibilities seriously, so we hold both Cyber Essentials and ISO27001 certifications. If you would like further information, please contact us on or 020 7912 2000.