Author

Justin Kuruvilla

Published

21 January 2025

Estimated Read time

6Mins

Justin Kuruvilla, Chief Cyber Security Strategist at Risk Ledger, looks at the trends and challenges facing supply chain security teams.

Unlike New Year’s resolutions, which are often based around the start of the year (just look at the queues at the gym!), malicious cyber actors don’t suddenly change their tactics, techniques, or procedures on January 1st. However, it is useful to understand the current direction of the threat landscape. Doing so can help anticipate how cyber threats may evolve over the coming year

AI to map out supply chain targets

It feels as though it has become somewhat cliché to discuss AI’s potential impact on cyber security. Nevertheless, it doesn’t make it any less true. AI has lowered the barrier to entry to cybercrime. New tools allow less skilled malicious actors to develop more convincing phishing, business email compromise (BEC), and other social engineering attacks.

Advanced malicious actors will likely explore additional ways to enhance their effectiveness using AI. It is likely that they will leverage AI’s ability to process and extract valuable information from large data sets. They will perform reconnaissance, map out and analyse supply chains, pinpoint weak links ripe for exploitation. Alternately, they could generate social engineering attacks tailored to specific vendor relationships. Using AI to identify particularly attractive targets within a supply chain may allow malicious actors to leverage the threat of a systemic disruption across a sector in their ransom demands. Or use the connectivity of a commonly shared supplier to gain a foothold into the networks of that supplier’s clients.

Increasing Regulatory Focus Down the Supply Chain

Regulations like NIS2 and DORA are expected to have a dramatic effect on the landscape this year. As they come into effect, regulators will increase scrutiny on compliance measures within the supply chain. 

Organisations will need to gain visibility into concentration risks. Crucially, these risks may exist beyond their direct third-party suppliers (including 4th, 5th, and nth parties). They must also have mechanisms in place to assess the security of their entire supply chain network. This will create a domino effect, improving the operational resilience of entire sectors deemed critical national infrastructure. 

In addition to strengthening operational resilience, organisations must be prepared to demonstrate their due diligence. Doing so is vital when understanding and mitigating these risks. This is especially important, given the financial, regulatory, and reputational risks that could arise from any degree of negligence.

Expect heightened pressure to demonstrate supply chain security maturity. This is not just for compliance purposes, however. Maturity will be increasingly crucial to win and retain business from clients who themselves need to assess the security of their suppliers and vendors. 

Additionally, investors are likely to scrutinise these factors to ensure that potential risks do not undermine the valuation of a potential acquisition or impact their exit strategy from an asset.

 Nation states will continue to leverage cyber operations

Governments are increasingly willing to disclose cyber activities linked to nation-state actors targeting critical national infrastructure. 

Recent announcements have revealed attacks on sectors such as telecommunications, finance, and both local and national governments. The overarching goal of these attacks is to disrupt critical systems in pursuit of broader strategic objectives. This is particularly true in today’s turbulent geopolitical climate. The public disclosures underscores the extent to which governments have been monitoring these threats. It signals that the situation has escalated to a critical point, necessitating such transparency.

Additionally, nation-states are investing in the development of zero-day exploits. While developing zero-days is resource-intensive, these exploits offer attackers highly effective tools for targeting and compromising victims. 

As previously discussed in the context of compliance, regulators will likely continue to expand the scope of sector-specific security requirements. 

This will include greater emphasis on securing supply chains to mitigate the risk of sector-wide impacts from nation-state actors leveraging pre-positioned vulnerabilities, whether for political retaliation or as part of a broader strategic campaign.

Ransomware continues to remain a major threat

Unfortunately, ransomware attacks continue to be a persistent threat. Over the years, organisations have adapted to better defend against and recover from these attacks. However, the sophistication and severity of extortion demands have escalated in kind. This evolving “cat-and-mouse” dynamic sees ransomware actors continuously adapting their tactics in response to improved security measures. 

What began with traditional extortion has now evolved into more complex iterations. These include double, triple, and even quadruple extortions where a victim’s clients are contacted to pressure the victim into payment. Alternately, additional threats to disrupt public-facing websites with Distributed Denial of Service attacks can add further pressure. 

Organisations must have a comprehensive understanding of their critical business functions, the external suppliers whose services enable those functions, and the potential impact on operations if a supplier within your supply chain falls victim to a multi-extortion ransomware attack. It’s essential to understand the potential impact that could arise if a supplier in your supply chain experiences service disruption due to a ransomware attack. 

Increased client/supplier collaboration, but more scrutiny

As organisations face mounting operational and regulatory pressure to demonstrate operational resilience, collaboration and engagement with suppliers have become critical. This cooperation extends beyond traditional supplier relationships, with a growing focus on assessing concentration risks at the 4th, 5th, and nth-party levels. Understanding these risks is key to identifying potential vulnerabilities in the extended supply chain, where the impact of a breach could ripple across multiple organisations, even entire sectors.

However, while collaboration is essential, it must be complemented by a strong security framework. Organisations are increasingly implementing a zero-trust approach where no user, device, or connection—regardless of its location—should be trusted by default. 

This approach is expected to extend not only within organisations’ internal networks but also in their interactions with external suppliers. This approach is vital to reducing the potential impact of any successful breach by limiting the “blast radius” and preventing lateral movement within the supply chain.

We’ve already seen information-sharing initiatives embraced by threat intelligence teams. The next step is for Third-Party Risk Management teams to collaborate more closely with threat intelligence groups. Together, they can work to adopt best practices related to supply chain security. A collective defense approach—where information, insights, and mitigation strategies are shared—will be essential to staying ahead of the rapidly evolving threat landscape.

Organisations must now prioritise supply chain security as a central focus, not only to comply with regulatory requirements but to safeguard the operational resilience of their entire ecosystem. By strengthening both collaboration and security, businesses can better mitigate the risks posed by today’s increasingly interconnected and complex supply chains.

Quantum computing

While we are still some time away from quantum computing becoming widely available and operational, it nonetheless poses a significant potential risk to the supply chain. Organisations will need to thoroughly assess to what extent their own – or a vendor’s – encryption methods protecting communication and sensitive data could be vulnerable to future quantum attacks. This is the “harvest now, decrypt later” approach. Essentially, hackers steal data now under the assumption that they will be able to decrypt it in the future using a quantum computer. 

This should be integrated into client and supplier assurance processes. Doing so will ensure organisations begin considering the risks posed by quantum computing and developing plans to mitigate those risks.

Regulators are likely to update their frameworks in the near future. These changes will likely result in requirements for organisations to secure systems against quantum threats. Doing so will help ensure businesses are prepared for a quantum-resilient future.

  • Risk & Resilience

Related Stories

Neil Pein, CEO at BNP Paribas Leasing Solutions explains why Europe’s farmers have been dealt a tricky hand, battling economic pressures, population growth, climate change, and rising sustainability demands. He argues that embracing Product-as-a-Service (PaaS) models can democratise access to cutting-edge technology with financial flexibility, paving the way for a resilient and circular future for farming.

Could PaaS be the cure for empty shelf syndrome in modern farming?

Neil Pein, CEO at BNP Paribas Leasing Solutions explains why Europe’s farmers have been dealt a tricky hand, battling economic pressures, population growth, climate change, and rising sustainability demands. He argues that embracing Product-as-a-Service (PaaS) models can democratise access to cutting-edge technology with financial flexibility, paving the way for a resilient and circular future for farming.

Read now
At Manifest Vegas 2025, we chat with leaders to uncover how the conference has become one of the leading industry events globally.

Why Manifest Vegas?

At Manifest Vegas 2025, we chat with leaders to uncover how the conference has become one of the leading industry events globally.

Read now
From tariffs and trade wars to greater emphasis on speed and cost-containment, we take a look at why the industry’s biggest logistics companies and solutions providers are restructuring and regionalising to focus on resilience in their supply chains.

Resilience and Regionalised Logistics: A Closer Look at the Next Generation of Supply Chains 

From tariffs and trade wars to greater emphasis on speed and cost-containment, we take a look at why the industry’s biggest logistics companies and solutions providers are restructuring and regionalising to focus on resilience in their supply chains.

Read now

Manifest Vegas: Showcasing the future of supply chain and logistics

Pam Simon, Conference Chair and EVP of Programming at Manifest, reflects on a successful fourth conference and how Manifest Vegas has become one of the hottest events in the supply chain calendar.

Read now
Karoline Dygas, VP of Strategic Sourcing and Procurement at Nordstrom, on the importance of a considerate approach to technology transformation amid an explosion of interest in new digital tools in supply chain.

Nordstrom: Solving the “why” in digital transformation

Karoline Dygas, VP of Strategic Sourcing and Procurement at Nordstrom, on the importance of a considerate approach to technology transformation amid an explosion of interest in new digital tools in supply chain.

Read now
Shauna Gamble, Chief Procurement Officer at Bombardier, on the importance of powering long-lasting, sustainable transformation within aerospace and beyond.

Bombardier: Redefining aerospace

Shauna Gamble, Chief Procurement Officer at Bombardier, on the importance of powering long-lasting, sustainable transformation within aerospace and beyond.

Read now
Judy Webb-Hapgood, former Chief Supply Chain Officer at the University of Miami and the University of Miami Health System, on the scale of supply chain transformation on the back of a disruptive few years for the industry.

University of Miami: Showcasing supply chain resilience

Judy Webb-Hapgood, former Chief Supply Chain Officer at the University of Miami and the University of Miami Health System, on the scale of supply chain transformation on the back of a disruptive few years for the industry.

Read now
Rishma M. Khimji, Chief Information Technology Officer at Harry Reid International Airport, explores how new digital tools are poised to transform the guest experience within the airport.

Harry Reid International Airport: the gateway to Las Vegas

Rishma M. Khimji, Chief Information Technology Officer at Harry Reid International Airport, explores how new digital tools are poised to transform the guest experience within the airport.

Read now

Manifest Vegas: Unleashing the future of supply chain and logistics

SupplyChain Strategy reflects on one of the world’s leading supply chain and logistics conferences – Manifest Vegas 2025.

Read now

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.

Get in touch