The Hidden Risks in Your Supply Chain: Protecting What You Can't See

In cyber security, you're only as strong as your weakest partner. It's a lesson businesses across Australia and New Zealand have learned the hard way through major breaches from SolarWinds and MOVEit to the wave of incidents throughout 2025. Supply chain attacks globally have more than doubled since April 2025, with September alone bringing devastating breaches at Jaguar Land Rover, Stellantis, Volvo, and the largest npm compromise in history. For many organisations across both nations, the most dangerous vulnerabilities aren't in their own systems. They're in the complex web of suppliers, manufacturers, distributors, and service providers that form their cyber supply chain.

During Cyber Security Awareness Month in Australia and Cyber Smart Week in New Zealand, supply chain security has emerged as a critical priority. The Australian Cyber Security Centre has spotlighted supply chain security for good reason. Cyber supply chain incidents comprised 9% of all cyber security incidents ASD responded to in FY2023-24, with 107 incidents investigated. New Zealand faces similar challenges, with approximately 25% of incidents in Q1 2025 linked to likely state-sponsored groups and 37.5% attributed to cybercriminal organisations targeting supply chains. More concerning: these incidents commonly involved compromised assets, networks and infrastructure (26%), compromised accounts and credentials (24%), or data breaches (20%). And when supply chain breaches occur, they're often large-scale events, with millions of Australians having their information stolen and leaked on the dark web.

The message is clear: your suppliers' cyber security vulnerabilities are your vulnerabilities. Managing this risk isn't optional anymore. It's fundamental to business resilience.

The Acceleration of Supply Chain Attacks in 2025

The numbers tell a concerning story. Between 2021 and 2023, supply chain attacks surged by 431%. In 2025, that acceleration has continued dramatically. Supply chain attacks doubled between April and May 2025, averaging 79 documented incidents in just the first five months of the year. This represents a significant increase from the 6 attacks documented in January 2025 to 31 attacks in April alone.

The IT, technology, and telecommunications sectors bore the brunt, accounting for 63% of supply chain attacks. However, the threat has expanded across industries. Supply chain attacks hit 22 of 24 sectors tracked by cybersecurity researchers, with only mining and real estate remaining untouched. Manufacturing emerged as particularly vulnerable, with cyber risk scores 11.7% below the global average due to reliance on automation and sensitivity of intellectual property.

Recent high-profile incidents demonstrate the evolving sophistication of these attacks. The Salesloft-Drift integration breach in August 2025 showed how attackers exploit trusted application integrations rather than traditional infrastructure vulnerabilities. The GitHub Actions supply chain attack in early 2025 targeted automation and orchestration layers that organisations trust implicitly. These represent fundamental shifts in attack methodology, moving beyond simple malware distribution to exploiting the very trust relationships that enable modern business operations.

Understanding the Complexity of Cyber Supply Chains

A cyber supply chain is far more complex than most organisations realise, and 2025 has proven just how interconnected and vulnerable these ecosystems have become. Every time you interact with a supplier, manufacturer, distributor, or retailer, inherent risk enters your environment. These businesses can affect the security of your systems and, by extension, the security of your own products and services.

The challenge multiplies when you consider the layers. Your direct suppliers have their own suppliers. Those suppliers have sub-contractors. Each connection represents a potential entry point for threat actors. Each relationship introduces dependencies that can cascade into lost data, financial penalties, and reputational harm.

Australian businesses operating in critical infrastructure sectors face particularly acute challenges. The Security of Critical Infrastructure Act establishes clear expectations, but meeting these requirements demands rigorous due diligence, continuous monitoring, and genuine partnership with vendors who take security as seriously as you do.

The Real-World Impact of Supply Chain Compromises

Recent incidents demonstrate the stakes involved, and the pace is accelerating. Supply chain attacks have more than doubled since April 2025, with 79 cyberattacks documented in just the first five months of the year. The majority (63%) directly targeted IT, technology, and telecommunications companies, creating cascading impacts on downstream users.

September 2025 alone delivered a stark reminder of supply chain vulnerability. The largest npm supply chain compromise in history occurred when attackers phished credentials from a trusted open-source maintainer and injected cryptocurrency-stealing malware into more than 18 widely used packages downloaded by billions of applications weekly. Jaguar Land Rover suffered a cyberattack that forced production shutdowns across global operations, with disruptions lasting weeks and affecting suppliers across Europe. Stellantis, the automotive giant owning Citroën, FIAT, Jeep, and Peugeot, experienced a data breach exposing North American customer information through a compromised third-party platform. Volvo confirmed employee data exposure following a ransomware attack on its HR software provider Miljödata.

The Salesloft breach in August 2025 demonstrated how application integrations can become attack vectors. Compromised OAuth tokens allowed threat actors to access data from over 700 organisations, including CRM, cloud, collaboration, and email systems, without requiring direct credentials or malware. Collins Aerospace's passenger processing system attack disrupted major European airports including Heathrow, Brussels, and Berlin in September, highlighting how single-vendor dependencies create systemic risk.

These aren't isolated incidents. They represent a fundamental shift in the threat landscape where attackers systematically target trusted relationships, vendor ecosystems, and shared platforms to maximise impact.

For Australian organisations, the impact extends beyond immediate breach costs. There are regulatory notifications required under the Notifiable Data Breaches scheme, potential penalties under the Privacy Act, reputational damage that erodes customer trust, and operational disruption that affects service delivery. The Jaguar Land Rover incident, which forced production shutdowns extending into October 2025, demonstrates how supply chain compromises can halt entire operations. With each day of downtime costing millions in lost revenue and suppliers across Europe forced to scale back production, the cascading impact becomes clear.

The human factor compounds these risks. Regardless of how secure your systems are, individuals commonly contribute, intentionally or inadvertently, to data breaches. The September 2025 npm incident occurred because attackers successfully phished credentials from a trusted maintainer using a convincing fake domain. When those individuals work for third-party suppliers who have access to your environment, the risk amplifies significantly.

Identifying and Assessing Supply Chain Risks

Effective supply chain risk management starts with visibility. You need to identify your cyber supply chain comprehensively, including all suppliers, manufacturers, distributors, retailers, and where possible, their sub-contractors.

This means asking the right questions before engaging suppliers and continuing to ask them throughout the relationship:

• Has the business made a commitment to Secure by Design principles?
• Do they actively manage risks in their own cyber supply chains?
• Have they identified all third parties involved in delivering their products and services?
• What incident response capabilities do they maintain?
• How transparent are they about security incidents and vulnerabilities?

The Australian Cyber Security Centre provides guidance on identifying cyber supply chain risks that result from foreign control or interference, poor security practices, lack of transparency, enduring access, or poor business practices. In some cases, the government may deem particular suppliers or their products to be national security concerns, requiring specific risk management responses. New Zealand's National Cyber Security Centre also provides guidance that outlines three key phases to manage supply chain cyber risk and improve organisational cyber resilience.

But most supply chain risk assessment falls to individual organisations. This demands risk-based prioritisation. A café supplier isn't a cyber security concern. Your managed service provider most definitely is. Focus scrutiny where it matters most: partners with access to sensitive data, critical operations, or privileged credentials.

Moving Beyond Point-in-Time Assessments

If your supply chain assessments stop once a supplier is approved, you're already behind. Ongoing oversight matters critically. This includes watching for patch delays, suspicious activity, changes in a vendor's own supply chain, or shifts in their security posture.

Continuous monitoring requires appropriate tools and processes. This might include regular security questionnaires, periodic audits of high-risk vendors, threat intelligence monitoring for indicators of compromise at supplier organisations, and contractual requirements for security incident notification.

The challenge for businesses is balancing thoroughness with practicality. No organisation can fully audit every vendor. The solution lies in risk-based approaches guided by impact assessments, concentrating effort where it delivers the most value.

Technology plays an important role here. Supply chain risk monitoring capabilities can watch vendors and partners for third-party threats, providing early warning when supplier environments show signs of compromise. Intelligence-driven platforms can correlate threat data across your supply chain, identifying patterns that individual assessments might miss.

The Governance and Cultural Dimensions

Supply chain security requires collaboration between security, procurement, and business units. This represents a cultural shift for many organisations.

Procurement teams need to understand why they can't simply choose the cheapest or fastest supplier without assessing cyber risk. Business leaders must grasp that resilience sometimes comes at a cost, but that cost is modest compared to the financial and reputational impact of a major breach. Vendors need to see themselves as partners in security, not just outside service providers.

Contracts play a crucial role in establishing expectations. Strong contracts should specify security requirements clearly, establish audit rights and monitoring capabilities, define incident notification timeframes and procedures, allocate liability appropriately, and include provisions for termination if security standards aren't maintained.

But contracts alone aren't sufficient. Effective supply chain security depends on genuine partnerships where vendors understand their role in your security posture and you understand your role in theirs. After all, you're part of someone else's supply chain too.

Preparing for the Inevitable

No matter how robust your controls, some breaches will slip through. It's not a matter of if. It's a matter of when. This reality demands that incident response plans account for third-party failures.

Five key questions to address in Business Continuity Planning:

1. Who communicates with the vendor during an incident?
2. How quickly can access be revoked if necessary?
3. How will regulators and customers be notified?
4. What alternative arrangements exist if a critical supplier's services are disrupted?
5. How do you maintain business continuity when supply chain compromises occur?

These aren't theoretical concerns. Australasian businesses have faced each of these scenarios. The organisations that recovered most effectively were those that had planned for supply chain incidents and rehearsed their responses through tabletop exercises or simulations.

Reducing Complexity Through Integration

One of the most effective strategies for managing supply chain risk is reducing unnecessary complexity. Every additional vendor represents another potential vulnerability. Consolidating security functions with trusted partners who offer integrated solutions means fewer relationships to manage, clearer lines of accountability, and reduced attack surface.

This doesn't mean putting all eggs in one basket. It means being strategic about which partnerships matter most and investing in those relationships accordingly. For many Australasian organisations, this translates to working with comprehensive cyber security partners like Insicon Cyber who can deliver everything from strategic advisory to 24/7 managed services, reducing the need for multiple point solution vendors.

Integrated approaches also enable better visibility. When security operations, compliance management, and incident response sit under one partnership, coordination improves dramatically. There's no confusion about who's responsible when threats emerge. There's no gap between strategy and execution.

Taking Action on Supply Chain Security

For Australasian businesses evaluating their supply chain security posture, several concrete steps can drive meaningful improvement:

• Conduct a comprehensive inventory of your cyber supply chain, identifying all suppliers with access to your systems, data, or networks.
• Implement risk-based assessment processes that focus scrutiny on high-risk relationships while maintaining appropriate oversight of lower-risk vendors.
• Establish clear security requirements in contracts and service level agreements, including incident notification obligations and audit rights.
• Deploy continuous monitoring capabilities that provide visibility into supplier security posture and detect indicators of compromise.
• Develop incident response plans that specifically address supply chain scenarios, including communication protocols and alternative arrangements.
• Consider consolidating security relationships with partners who offer integrated, comprehensive solutions, reducing vendor complexity and associated risks.

The Path Forward

Supply chain risk management has become a core pillar of organisational resilience. For CISOs and security leaders, it's no longer a compliance exercise. It's strategic imperative that requires ongoing attention, appropriate investment, and genuine partnership across the business.

The threat landscape continues to evolve. Nation-state actors increasingly target supply chains to gain access to high-value targets. Cybercriminals exploit trusted relationships to move laterally through interconnected organisations. AI-powered attacks make sophisticated supply chain compromises easier to execute at scale.

Meeting these challenges demands comprehensive approaches that connect strategic risk assessment with operational monitoring, contractual requirements with continuous validation, and Australian regulatory compliance with global best practices.

Ready to strengthen your supply chain security?

The conversation starts with visibility into your current relationships, clear-eyed assessment of where risks lie, and strategic decisions about which partnerships deliver both operational value and security confidence.

Sources

This blog draws on research and reporting from:

• Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) - Annual Cyber Threat Report 2023-2024 and Cyber Security Awareness Month 2025 resources
• Cyble Research - "Supply Chain Attacks Surge In April-May 2025" and "Supply Chain Attacks Double In 2025"
• Cyber Daily - "Supply chain risk: Understanding the weakest link in cyber security"
• Cyberint - "The Weak Link: Recent Supply Chain Attacks Examined"
• Check Point Research - Threat Intelligence Reports (September 2025)
• Strobes Security - "Top Data Breaches of September 2025"
• Industrial Cyber - "Jaguar Land Rover cyberattack deepens, with prolonged production outage, supply chain fallout"
• Australian National Audit Office (ANAO) - "Management of Cyber Security Supply Chain Risks"
• Office of the Australian Information Commissioner (OAIC) - Notifiable Data Breaches reports
• Cowbell Cyber - Supply chain cyber attack statistics and risk analysis
• Security Brief Australia - Supply chain security reporting
• Australian Cyber Security Magazine - Industry analysis and incident reporting

Insicon Cyber delivers integrated cyber security solutions that reduce vendor complexity while enhancing protection. From supply chain risk assessment to continuous monitoring and managed services, our comprehensive partnership approach helps Australian businesses navigate third-party risks with confidence.