Assessing Supply Chain and Identity Threats: When Trust Turns Toxic
This blog was written by Sean Tickle, Cyber Services Director, Littlefish
It’s 2025, and threat actors don’t bother battering down your front gate anymore. Brute force is basic, and rainbow attacks are old hat. When you can slip in through a trusted partner, capture a token, or simply get that Oauth app you've been working on in someone’s environment, it’s easy to stroll on in through the front door.
Cyber-attacks are evolving, and today’s frontline includes trusted third-party vendors and cloud platforms that simplify life but also expose your data (I’m looking at you, “AI powered” solutions), since each one is a potential entry point for compromise.
That sprawl of SaaS, Trusted third parties, and new Tactics, Techniques and Procedures (TTPs) - the holy grail for us threat detection nerds – isn’t slowing down and the line between supply chain and identity threats is blurring (since both stem from the same root issue: organisations operating in ecosystems of trust that haven’t evolved to match today’s threat landscape).
"Trusting a vendor’s security posture or relying on that once-a-year questionnaire with a 'trust me bro' attitude, leaves critical gaps. And while those gaps might seem like someone else’s problem, they become yours fast when your data, backups, and business grind to a halt… usually thanks to the very people meant to prevent it. I say this with love to my fellow MSSPs, we are failing our customers if we don’t take ourselves seriously from a security perspective and “sip our own champagne”.
Case in point? The recent M&S attack, which became the latest victim of this trend back in April 2025.
The attackers breached a third-party supplier and gained access to the retailer’s systems. The subsequent ransomware attack halted online sales for over six weeks, cost hundreds of millions in lost revenue, and exposed sensitive customer data. Was it their fault for trusting their supplier?
Remember, this wasn’t a failure of firewalls or patching; it wasn’t a missed “logon outside of expected country” alert or not seeing the bat signal in the sky. At its core, it was a failure of identity assurance and too much supplier trust.
Once attackers had a valid login from a trusted vendor, they walked straight in and then the valiant defenders (I’m a shameless blue teamer at heart) jobs get quite a bit harder.
These incidents show a repeating pattern that is used oh so often:
- Third-party compromise → attackers gain privileged access.
- Identity theft → stolen credentials or compromised trusted routes into environment.
- Business disruption → operations grind to a halt before the breach is even detected.
Given the amount of Incident Response (IR) engagements I find myself wading into, the message is clear: we need to “trust but verify”. After all, if trust is your only line of defence, then it’s time to polish off your Incident Response Plan and strap in, as compromise is only a matter of time.
Why organisations still miss the point
Many organisations treat supplier risk and authentication resilience as secondary issues. They’re not.
According to the UK Government’s Cyber Security Breaches Survey, just over 13% of organisations review the cyber risks posed by their immediate suppliers, and only 7% assess risks across their wider supply chain – a level of oversight that’s not just inadequate, but downright dangerous.
Unfortunately, what we’re seeing is procurement teams prioritising cost and delivery over security – and while supplier contracts may contain vague security clauses, they rarely enforce continuous monitoring.
To clarify, it’s not all organisations, as many appear to truly understand that a rush to the bottom is going to cost you big in the long run. Still, too many organisations and partners still rely on SMS codes or phone authentication (yes, really!) with no real way to verify who they’re talking to. It’s an open invite to phishing, SIM swapping, and AI-driven attacks we can still spot (for now), but that won’t last.
Compliance frameworks haven’t kept pace either. GDPR focuses on data protection, and while NIS 2 and proposals like the Cyber Security and Resilience Bill will raise standards, enforcement takes time. Remember, waiting for regulation is no substitute for proactive resilience.
What needs to change?
Boards and leadership teams must stop treating identity resilience and third-party security as niche technical issues. They are existential business risks. In my view, the following actions are essential:
- Board-level ownership: Supplier and identity risk should sit alongside financial and operational risk in governance discussions. Accountability cannot be left to IT alone and if I hear one more “Oh, that’s the CISO’s problem” I’m going to lose what little hair I have left ...
- Continuous supplier monitoring: Annual questionnaires are meaningless. Organisations need live visibility into third-party security postures and to take them to task if they’re not meeting the standard.
- Zero-trust identity architecture: Assume every login could be malicious. Enforce phishing-resistant multi-factor authentication, conditional access policies, and strict principle of least privilege controls for your network and data.
- Integrated incident response: Crisis plans must cover both internal breaches and supplier-originated attacks, with aligned communication and recovery processes.
- Culture shift: Security is a thread through your business; it’s not a siloed watchtower. Security needs to empower your core businesses ideals, not obstruct them.
The cost of complacency
Supply chains and identities are now favoured attack vectors because they bypass traditional defences and exploit misplaced trust. Identity resilience and supplier assurance are the true foundations of modern cyber defence.
My message to business leaders is clear: stop thinking of cyber security as protecting your IT and data environment. Today, protecting your ‘crown jewels’ (your most critical business functions) means securing every identity, every partner, and every door into your organisation.
Sean Tickle is Cyber Services Director at Littlefish, a UK-based managed IT, cyber security, and Microsoft business solutions service provider. Littlefish delivers enhanced user experiences, improved customer satisfaction, and authentic business value 24//7 to more than 130,000 IT users.
For more information please contact:
Chris Hazell
Sue Daley OBE
Sue Daley OBE
Sue leads techUK's Technology and Innovation work.
This includes work programmes on cloud, data protection, data analytics, AI, digital ethics, Digital Identity and Internet of Things as well as emerging and transformative technologies and innovation policy.
In 2025, Sue was honoured with an Order of the British Empire (OBE) for services to the Technology Industry in the New Year Honours List.
She has been recognised as one of the most influential people in UK tech by Computer Weekly's UKtech50 Longlist and in 2021 was inducted into the Computer Weekly Most Influential Women in UK Tech Hall of Fame.
A key influencer in driving forward the data agenda in the UK, Sue was co-chair of the UK government's National Data Strategy Forum until July 2024. As well as being recognised in the UK's Big Data 100 and the Global Top 100 Data Visionaries for 2020 Sue has also been shortlisted for the Milton Keynes Women Leaders Awards and was a judge for the Loebner Prize in AI. In addition to being a regular industry speaker on issues including AI ethics, data protection and cyber security, Sue was recently a judge for the UK Tech 50 and is a regular judge of the annual UK Cloud Awards.
Prior to joining techUK in January 2015 Sue was responsible for Symantec's Government Relations in the UK and Ireland. She has spoken at events including the UK-China Internet Forum in Beijing, UN IGF and European RSA on issues ranging from data usage and privacy, cloud computing and online child safety. Before joining Symantec, Sue was senior policy advisor at the Confederation of British Industry (CBI). Sue has an BA degree on History and American Studies from Leeds University and a Masters Degree on International Relations and Diplomacy from the University of Birmingham. Sue is a keen sportswoman and in 2016 achieved a lifelong ambition to swim the English Channel.
- Email:
- [email protected]
- Phone:
- 020 7331 2055
- Twitter:
- @ChannelSwimSue,@ChannelSwimSue
Laura Foster
Laura Foster
Laura is techUK’s Associate Director for Technology and Innovation.
Laura advocates for better emerging technology policy in the UK, including quantum, future of compute technologies, semiconductors, digital ID and more. Working alongside techUK members and UK Government she champions long-term, cohesive, and sustainable investment that will ensure the UK can commercialise future science and technology research. Laura leads a high-performing team at techUK, as well as publishing several reports on these topics herself, and being a regular speaker at events.
Before joining techUK, Laura worked internationally as a conference researcher and producer exploring adoption of emerging technologies. This included being part of the team at London Tech Week.
Laura has a degree in History (BA Hons) from Durham University and is a Cambridge Policy Fellow. Outside of work she loves reading, writing and supporting rugby team St. Helens, where she is from.
- Email:
- [email protected]
- LinkedIn:
- www.linkedin.com/in/lauraalicefoster
Authors
Sean Tickle
Sean Tickle is Cyber Services Director at Littlefish, a UK-based managed IT, cyber security, and Microsoft business solutions service provider. Littlefish delivers enhanced user experiences, improved customer satisfaction, and authentic business value 24//7 to more than 130,000 IT users.
