Main Menu
Main Menu
Request a quote
Client Portal
Main Menu

May 30, 2025

Is your supply chain your biggest security risk?  

If you need a reason to take a closer look at your supply chain security, the recent cyberattack on Marks & Spencer (M&S) is it. 

This cyberattack wasn’t a case of M&S dropping the ball on their internal systems. The breach came from a trusted third-party supplier. 

And that’s exactly why it matters. You can do everything right inside your own business and still be left exposed by someone else’s vulnerabilities. 

In this article, we’ll break down what happened, why it’s relevant to businesses like yours, and most importantly, the practical steps you can take to protect your operations. 

How a trusted supplier brought M&S to a standstill 

In April, M&S was hit by a major cyberattack. But it wasn’t their systems that were compromised. Reports suggest the attackers may have gained access through one of their long-standing IT partners, Tata Consultancy Services (TCS). 

It’s believed that social engineering played a role.  This uses tactics like phishing to trick people into handing over access, which means the attackers didn’t just bypass technical defences, they slipped past the human ones too.   

It’s a stark reminder that cybersecurity isn’t just about strong passwords and firewalls. It’s also about the people who have access to your systems and data, even when they sit outside your organisation.  

The consequences of the attack were immediate and widespread. 

M&S has had to pause online orders for at least a month. Stores have struggled to keep shelves stocked, and behind the scenes, vital systems ground to a halt. 

Sensitive customer data, including names, email addresses, home addresses, and even dates of birth, have been stolen. This kind of breach can severely damage customer trust.   

Financially, the damage is huge, and M&S expects to lose around £300 million in profits. Recovery will stretch well into July, three months after the initial breach, but the biggest concern is the longer-term impact. In today’s market, customers don’t think twice about switching to a competitor when confidence is lost. 

Understanding supply chain vulnerabilities

The M&S breach has made one thing painfully clear: even if your systems are secure, you’re still at risk if your suppliers aren’t. And cybercriminals know this. They’re not always trying to break down your front door, sometimes, they’re looking for the side entrance that nobody is watching.   

So what does this mean for your business?  

It means security can’t stop at your doorstep. You need to look beyond your walls and understand who your suppliers are, how they handle your data, and what risks they might be bringing into your business.  

This is where ISO 27001 Information Security, Cybersecurity and Privacy Protection can help.   

ISO 27001 is the international standard for information security. It gives you a framework for identifying and managing risks on an ongoing basis. It helps you understand where your vulnerabilities are, how to apply the right controls, and keep things under review as your business grows and evolves. 

And no, it’s not just for giants like M&S. It’s suitable for all businesses. Whether you want to strengthen your internal processes, or ensure your suppliers are pulling their weight, ISO 27001 provides the tools, and proof, that you take information security seriously.    

So, with that in mind, let’s get into the practical steps you can take to reduce risk in your supply chain.

How to build a supply chain you can trust

1. Start with a risk assessment

If you don’t know who’s in your supply chain, you can’t protect it. It’s that simple. 

Start by mapping out every supplier, contractor and service provider with access to your systems, data, or day-to-day operations. Then go deeper. Who do they rely on behind the scenes? You might be surprised how far the chain stretches.  

Once you’ve got visibility, focus on your high-risk relationships. These are the ones with access to personal data, business-critical systems or confidential client information. These will need closer scrutiny and regular, structured risk assessments. 

It might feel overwhelming, especially if you’re managing everything yourself. But frameworks like ISO 27001 provide a structured approach to assessing risks, applying the right controls, and reviewing them regularly, without adding unnecessary complexity to your day-to-day. 

2. Set clear security expectations

Trust is important, but when it comes to information security, clarity matters more.   

Take the time to define what good security looks like in your business. That means setting expectations for how your suppliers store and manage your data, who has access to your systems, and what the process is when things go wrong. 

Don’t just assume you’ve been understood. Put it in writing. Make it a part of your contracts and onboarding process. Set a clear security baseline that every third party must meet.  

This isn’t about micromanagement.  It’s about giving your suppliers the information they need to meet your information security standards and reduce risk.   

ISO 27001 helps you formalise these expectations, from access controls to incident response, and embedding them into your daily operations.   

3. Don't rely on promises - monitor compliance

Most suppliers will say they take security seriously. But when your business and your customers are on the line, that’s not enough, you need to see it for yourself.

Ask questions. How are they managing risks? What controls are in place? How often are they testing or updating their processes?

Go further and ask for evidence. Review training procedures, inspect policies, and critically, ask for independent validation like an ISO 27001 certificate.  

ISO 27001 certification is one of the most reliable ways to verify a supplier’s security posture. It proves they’ve been externally audited, and are actively managing their risks, not just saying the right things.

If a supplier can’t demonstrate how they’re protecting your data, you have to ask yourself: ‘Are they a risk we’re willing to take?’

4. Keep improving because threats don't stand still

Cybersecurity isn’t a one-off exercise. Threats are constantly evolving, and so should your approach.

Continuous improvement means regularly reviewing what’s working, what’s not and where gaps might be appearing. That might mean updating your supplier policies, tightening controls after a near-miss, or by working with partners to help them improve their security posture.

And the good news? When you build these habits into your daily operations, they become easier to manage.

With ISO 27001, continuous improvement isn’t just encouraged, it’s required. The standard helps you review risks regularly and make informed decisions based on what’s happening now, not what worked last year.  

Stay in touch with your suppliers.  Share best practices and keep the lines of communication open. A secure supply chain isn’t achieved alone, it’s something you build and maintain together.  

Protecting your business means protecting your whole supply chain

The M&S cyberattack is a stark reminder of what’s at stake. Even big brands can be brought to a standstill through vulnerabilities in their supply chain.

For businesses like yours, this means understanding and managing the risks that come with every supplier, partner, or contractor you work with.  

Start by getting clear visibility into your supply chain, set clear expectations, verify what you’re being told and keep improving, because the threat landscape isn’t slowing down.

Building a secure supply chain takes time and effort. But it protects your customers, your reputation, and your bottom line. So, take these steps now to protect your business.  

What Is ISO 27001 and Why Does It Matter?

ISO 27001 is the international gold standard for information security. It provides a structured framework for identifying, managing, and reducing risks across people, processes, and technology.

Being ISO 27001 certified means you’ve been independently assessed against a comprehensive set of best practices. It shows you’re not just talking about security, you’re actively taking steps to protect your systems.  

When it comes to your suppliers, it also means less guesswork and more confidence in who you’re working with.  

If you’re ready to strengthen your security, and your supply chain, ISO 27001 is a great place to start.  Whether you’re thinking about getting certified or just want to understand more, we’re here to help.  Just call our team on 0330 058 5551 or request a quote online. 

Jodie Purser - Website

About the author

Jodie Purser

Marketing Team Leader

Request a quote
Client Portal

ISO

Main Menu
Main Menu
Main Menu