02 Sep 2025
by Sean Tickle

Assessing Supply Chain and Identity Threats: When Trust Turns Toxic

Sean Tickle.png

This blog was written by Sean Tickle, Cyber Services Director, Littlefish

It’s 2025, and threat actors don’t bother battering down your front gate anymore. Brute force is basic, and rainbow attacks are old hat. When you can slip in through a trusted partner, capture a token, or simply get that Oauth app you've been working on in someone’s environment, it’s easy to stroll on in through the front door. 

Cyber-attacks are evolving, and today’s frontline includes trusted third-party vendors and cloud platforms that simplify life but also expose your data (I’m looking at you, “AI powered” solutions), since each one is a potential entry point for compromise. 

That sprawl of SaaS, Trusted third parties, and new Tactics, Techniques and Procedures (TTPs) - the holy grail for us threat detection nerds –  isn’t slowing down and the line between supply chain and identity threats is blurring (since both stem from the same root issue: organisations operating in ecosystems of trust that haven’t evolved to match today’s threat landscape). 

"Trusting a vendor’s security posture or relying on that once-a-year questionnaire with a 'trust me bro' attitude, leaves critical gaps. And while those gaps might seem like someone else’s problem, they become yours fast when your data, backups, and business grind to a halt… usually thanks to the very people meant to prevent it. I say this with love to my fellow MSSPs, we are failing our customers if we don’t take ourselves seriously from a security perspective and “sip our own champagne”.   

Case in point? The recent M&S attack, which became the latest victim of this trend back in April 2025.  

The attackers breached a third-party supplier and gained access to the retailer’s systems. The subsequent ransomware attack halted online sales for over six weeks, cost hundreds of millions in lost revenue, and exposed sensitive customer data. Was it their fault for trusting their supplier? 

Remember, this wasn’t a failure of firewalls or patching; it wasn’t a missed “logon outside of expected country” alert or not seeing the bat signal in the sky. At its core, it was a failure of identity assurance and too much supplier trust.  

Once attackers had a valid login from a trusted vendor, they walked straight in and then the valiant defenders (I’m a shameless blue teamer at heart) jobs get quite a bit harder. 

These incidents show a repeating pattern that is used oh so often: 

  • Third-party compromise → attackers gain privileged access. 
  • Identity theft → stolen credentials or compromised trusted routes into environment. 
  • Business disruption → operations grind to a halt before the breach is even detected. 

Given the amount of Incident Response (IR) engagements I find myself wading into, the message is clear: we need to “trust but verify”. After all, if trust is your only line of defence, then it’s time to polish off your Incident Response Plan and strap in, as compromise is only a matter of time. 

Why organisations still miss the point 

Many organisations treat supplier risk and authentication resilience as secondary issues. They’re not.  

According to the UK Government’s Cyber Security Breaches Survey, just over 13% of organisations review the cyber risks posed by their immediate suppliers, and only 7% assess risks across their wider supply chain – a level of oversight that’s not just inadequate, but downright dangerous.  

Unfortunately, what we’re seeing is procurement teams prioritising cost and delivery over security – and while supplier contracts may contain vague security clauses, they rarely enforce continuous monitoring.  

To clarify, it’s not all organisations, as many appear to truly understand that a rush to the bottom is going to cost you big in the long run. Still, too many organisations and partners still rely on SMS codes or phone authentication (yes, really!) with no real way to verify who they’re talking to. It’s an open invite to phishing, SIM swapping, and AI-driven attacks we can still spot (for now), but that won’t last. 

Compliance frameworks haven’t kept pace either. GDPR focuses on data protection, and while NIS 2 and proposals like the  Cyber Security and Resilience Bill will raise standards, enforcement takes time. Remember, waiting for regulation is no substitute for proactive resilience.  

What needs to change? 

Boards and leadership teams must stop treating identity resilience and third-party security as niche technical issues. They are existential business risks. In my view, the following actions are essential: 

  • Board-level ownership: Supplier and identity risk should sit alongside financial and operational risk in governance discussions. Accountability cannot be left to IT alone and if I hear one more “Oh, that’s the CISO’s problem” I’m going to lose what little hair I have left ...  
  • Continuous supplier monitoring: Annual questionnaires are meaningless. Organisations need live visibility into third-party security postures and to take them to task if they’re not meeting the standard. 
  • Zero-trust identity architecture: Assume every login could be malicious. Enforce phishing-resistant multi-factor authentication, conditional access policies, and strict principle of least privilege controls for your network and data. 
  • Integrated incident response: Crisis plans must cover both internal breaches and supplier-originated attacks, with aligned communication and recovery processes. 
  • Culture shift: Security is a thread through your business; it’s not a siloed watchtower. Security needs to empower your core businesses ideals, not obstruct them. 

The cost of complacency 

Supply chains and identities are now favoured attack vectors because they bypass traditional defences and exploit misplaced trust. Identity resilience and supplier assurance are the true foundations of modern cyber defence. 

My message to business leaders is clear: stop thinking of cyber security as protecting your IT and data environment. Today, protecting your ‘crown jewels’ (your most critical business functions) means securing every identity, every partner, and every door into your organisation.  

Sean Tickle is Cyber Services Director at Littlefish, a UK-based managed IT, cyber security, and Microsoft business solutions service provider. Littlefish delivers enhanced user experiences, improved customer satisfaction, and authentic business value 24//7 to more than 130,000 IT users.   


Cloud Week 2025

Check out more insights on a range of key topics related to Cloud

Find out more

 

techUK's Technology and Innovation updates

If you’d like to start receiving information about relevant events, news and initiatives, please subscribe here and join the Technology and Innovation contact preference.

Sign-up here

For more information please contact: 

Chris Hazell

Chris Hazell

Programme Manager - Cloud, Tech and Innovation, techUK

Sue Daley OBE

Sue Daley OBE

Director, Technology and Innovation

Laura Foster

Laura Foster

Associate Director - Technology and Innovation, techUK

Authors

Sean Tickle

Sean Tickle

Cyber Services Director, littlefish

Sean Tickle is Cyber Services Director at Littlefish, a UK-based managed IT, cyber security, and Microsoft business solutions service provider. Littlefish delivers enhanced user experiences, improved customer satisfaction, and authentic business value 24//7 to more than 130,000 IT users.