Global Supply Chains at Risk of Cyber Breaches and Phishing

The latest Cyber Breaches Survey from the Department for Science, Innovation and Technology and the Home Office could suggest UK organisations face a widening gap in supply chain security preparedness.

According to the survey, 43% of businesses and 28% of charities reported experiencing a breach or attack in the past year.

The data shows a concerning pattern where visibility into third-party risks remains minimal despite attackers increasingly targeting supplier relationships as entry points into larger systems.

Supply chain visibility falls short

According to the survey, only 15% of businesses and 9% of charities formally review cyber risks posed by immediate suppliers. The wider supply chain shows a more pronounced weakness. Just 6% of businesses and 4% of charities conduct due diligence beyond their direct supplier relationships.

"Supply chain risk is where attackers are increasingly pivoting and this data shows the vast majority of UK businesses have essentially no visibility into it," says Muhammad Yahya Patel, vCISO and Cybersecurity Advisor for EMEA at Huntress.

The figures could mean organisations are leaving critical entry points unmonitored. At a time when third-party relationships provide routes into larger systems, the gap in oversight could represent one of the most exposed areas of organisational security.

The survey data arrives as 2026 shapes up to be defined by supply chain incidents. High-profile breaches including the Trivy breach, Axios breach and Rockstar Games hack that originated from the Anodot breach illustrate how supplier vulnerabilities can cascade into major organisations. The pattern suggests attackers have shifted tactics to exploit the weakest links in interconnected business ecosystems.

Large organisations face disproportionate targeting through these channels. According to the survey, around 69% of large businesses and 65% of medium firms reported incidents, compared with 46% of small businesses and 42% of micro organisations. The concentration could indicate attackers view supply chains as pathways to higher value targets.

Preparedness gaps compound exposure

Formal cyber security strategies exist in 70% of large businesses and 57% of medium firms. Smaller organisations lag behind these figures. Nearly a third of micro businesses consider cyber security a low priority according to the survey data.

The gap between awareness and action could leave organisations vulnerable despite stated intentions. Cyber security is considered a high priority by 72% of businesses and 60% of charities, rising to 100% among large organisations. Senior leadership attention is holding steady according to the data.

"It's encouraging to see boardroom engagement starting to recover, but accountability without preparation is performative," Muhammad notes.

"Knowing cyber is a risk and having a tested plan for when it happens are two very different things." The disconnect between priority statements and implemented strategies could suggest recognition without corresponding resource allocation.

AI adoption compounds these preparedness challenges.

"AI is growing the attack surface faster than most organisations can track," Muhammad says.

"When three in four businesses exploring AI have no security framework around it, you're building on an unstable foundation."

The technology creates new supply chain touchpoints that could amplify existing visibility gaps.

Phishing remains most disruptive

Phishing affected 38% of businesses and 25% of charities according to the survey. The attack method was ranked as the most disruptive incident by 69% of organisations that experienced a breach. AI can generate phishing emails at scale, which could explain why human vulnerability exploitation ranks high among reported incidents.

Traditional threats such as ransomware appear less commonly reported in the survey data. This could suggest attackers are shifting tactics rather than reducing overall activity. The change in approach could mean organisations face evolving threat vectors that require corresponding adjustments to defensive strategies.

Most organisations report taking steps to protect sensitive information. Around 77% of businesses and 69% of charities have safeguards such as encryption or anonymisation in place. However, 14% of businesses and 22% of charities hold unprotected personal data according to the survey.

Impact severity increases

The proportion of businesses reporting financial loss from cyber incidents has more than doubled according to the survey data. Reported losses rose from 2% to 5% year on year. Similarly, reputational damage cases climbed from 1% to 3%.

"The median cost disguises the real exposure," Muhammad points out.

"For the 5% of businesses experiencing revenue or reputational impact, the numbers are serious and those are just the ones that recognised and reported it." The full cost of a breach is almost always larger than the initial assessment according to Muhammad.

"In a digital economy, trust is your most valuable currency and it's the hardest thing to recover once a breach goes public."

The financial figures could understate the true impact when longer-term reputational consequences are factored into assessments. For organisations with limited supply chain visibility, the damage from third-party breaches could prove particularly difficult to anticipate or contain.

The survey findings could suggest that while awareness of cyber risk is improving, implementation is not keeping pace. As threats evolve and supply chains become more complex, the gap between perception and preparedness may prove to be one of the most critical vulnerabilities facing UK organisations.