When Jaguar Land Rover’s production line ground to a halt at the end of Q3 2025, the culprit wasn’t a shortage of parts. It was a cyber breach. Just weeks later, airports across Europe faced chaos after attackers compromised Collins Aerospace’s MUSE software.

Production delays and inventory shortages are no longer the leading causes of disruption. Today’s fragility stems from digital interdependence. From logistics platforms to vendor credentialing systems, every digital connection is now a potential attack vector. A single compromised supplier can halt manufacturing lines, delay shipments and expose sensitive data, even when an organization’s core systems remain secure.

Last year was a wake-up call for businesses around the world. Household brands, from Hertz to Google to Farmers Insurance, made headlines after falling victim to cyberattacks that began not inside their own networks, but through trusted partners.

The warning signs have been there for years. Back in 2021, Gartner predicted that 45% of organizations globally would experience attacks on their software supply chains by 2025. That figure now looks conservative. A recent study showed that 61% of businesses have suffered a supply chain breach in the last year alone, with nearly one-third reporting operational disruption or financial loss as a result.

These numbers are more than statistics; they signal a systemic issue. As businesses have grown more connected (digitally, operationally, and geographically), the attack surface has exploded. What was once a collection of physical suppliers is now a mesh of digital relationships: cloud providers, software-as-a-service platforms, logistics partners and data processors. Each of these entities, however small, can become an entry point for attackers.

Small Vendors Open Big Doors

Modern enterprises rely on vast ecosystems of third parties to manage everything from data processing and analytics to payroll and procurement. These digital supply chains are immensely efficient, but also deeply complex. The more connected a business becomes, the more hidden dependencies it creates.

Cybercriminals have learned to exploit that. Instead of targeting heavily fortified enterprises directly, attackers are turning their attention to smaller vendors; what they consider the “soft underbelly” of the supply chain. These organizations often have weaker defenses, fewer dedicated security staff, and less mature governance.

The cyberattack on retailer Mango is a prime example. In October, 2025, the company disclosed that customer data had been stolen from one of its external marketing suppliers. The attackers didn’t need to breach Mango itself. They simply went through the door that was left ajar by a partner.

This tactic is paying off for threat actors. IO’s research shows that small businesses are suffering disproportionately from these cascading risks. Among cybersecurity leaders at companies with fewer than 50 employees, 28% reported operational disruption or downstream partner issues following a data breach, compared with 21% of large enterprises. Smaller firms often lack the resources to contain the fallout, turning what might have been a localized incident into a chain reaction.

Despite the growing body of evidence, many organizations remain overconfident in their preparedness. A large majority of cybersecurity leaders remain confident in their ability to respond to a breach, even though more than half (61%) experienced a third-party or supply chain attack in the past 12 months.

This disconnect points to a dangerous complacency. Only 23% of respondents ranked supply chain compromise among their top emerging threats, placing it below concerns such as artificial intelligence misuse, misinformation and phishing. Yet the impact of these attacks can be devastating: Among those affected, 38% faced data breaches involving customers, employees or partners; 35% suffered financial losses or unplanned costs, and 33% endured system outages or operational disruptions.

The message is clear: Businesses are underestimating how exposed they’ve become. They may have strong internal controls and incident-response plans, but their security posture is only as strong as the weakest link in their extended network.

Beyond Checkbox Compliance

For decades, organizations have relied on static assessments and point-in-time certifications to demonstrate supplier trust. But in a world where digital connections are constantly shifting, that approach no longer works. Cyber risk has become a living system.

Enter the model of continuous assurance, an approach that moves beyond compliance checklists and instead treats vendor trust as an ongoing, measurable process. Continuous assurance means embedding security into every stage of the partnership lifecycle (think onboarding to renewal) and ensuring that assurance data remains current and actionable.

Following are key steps to making this shift:

Build security into every partnership agreement. Cybersecurity must become a core pillar of every supplier relationship, not an afterthought. That starts with embedding clear, enforceable security requirements into contracts and partnership agreements. These should define data-handling standards, notification timelines for breaches, audit rights and remediation expectations. Making cybersecurity contractual ensures accountability, and sends a clear signal that security is non-negotiable.

Move from one-time vetting to ongoing verification. A vendor that passed an initial assessment a year ago might not be secure today. Continuous assurance requires continuous visibility. Organizations should implement regular audits, automated monitoring tools and real-time risk scoring to ensure that suppliers maintain compliance over time. This kind of ongoing oversight allows security teams to detect and address issues early — before they cascade into crises.

Align with proven frameworks for consistency and scale. Frameworks such as NIST 800-53 and ISO 27001 provide a blueprint for consistent, auditable third-party governance. By aligning supplier assurance programs with these standards, organizations can benchmark progress, standardize reporting and build confidence across global operations. Programs like Cyber Essentials can also serve as entry-level frameworks for smaller vendors, helping to raise the baseline of security maturity across the ecosystem.

In today’s hyper-connected economy, the supply chain is the new front line of cyber defense. The next major shock to global operations will come from compromised credentials, outdated software or a single vendor that failed to patch a known vulnerability.

Enterprises that understand this reality will begin treating digital supply chain security with the same rigor once reserved for physical logistics. Those that don’t risk finding themselves in the same headlines as the victims that have come before them: victims not of shortages, but of overconfidence.

Sam Peters is chief product officer with IO (formerly ISMS.online).