5 steps to strengthen cyber defences against third-party risk

26 May 2025 Consultancy.uk

Following a wave of high-profile cyber-attacks on major UK retailers including M&S, Co-op and Harrods, cyber security experts from around the country are urging companies to tighten supply chain security to avoid becoming the next headline. Katherine Kearns from S-RM shares five key steps organisations can take to strengthen their cyber defences against third-party risk.

1) Identify critical vendors

Begin by understanding the organisation’s third-party exposure and the impact this can have on the business. It is particularly important to identify and inventory third-party suppliers that have access to sensitive data, have access into your internal environment, provide critical software, and could significantly affect business continuity if disrupted. 

2) Implement continuous monitoring

Move beyond point-in-time assessments. Use automated tools and threat intelligence to continuously monitor vendor security postures and flag emerging risks.

3) Integrate vendors into continuity plans

Validate business continuity and disaster recovery plans adopted by the suppliers and align your own incident response and business continuity plans with them. Establish redundancies and workarounds to avoid single points of failure. Exercise disruptive scenarios with critical suppliers to improve joint recovery processes, exercise communication plans during critical events, and build muscle memory around critical decision-making.

4) Mandate security controls contractually

Include clear security obligations in supplier contracts. These should cover access controls, encryption standards, breach notification protocols and right-to-audit clauses. Include compliance with the contractual security obligations in the security posture assessment of the critical third-parties.

5) Secure your own perimeter

Strengthen your internal defences to mitigate damage if a third-party is compromised. Prioritise measures around:

  • Employee training and social engineering awareness, including implementing additional security verification procedures to prevent impersonation of employees and third-parties with access to the environment
  • Heightened security protocols for account reset or credential reminder requests
  • Enhanced monitoring of third-party user activity
  • Continuous identification and monitoring of the external attack surface, including new internet-facing assets and vulnerable remote access methods

Hacks in retail

In recent weeks, the UK’s retail sector has been rattled by high-profile cyber hacks. At M&S, hackers gaining access to its systems via one of its contractors through the use of advanced social engineering techniques. M&S chief executive, Stuart Machin, said it will take an estimated £300 million hit to profits this year from the damaging cyber-attack that it expects to disrupt its online business into July.

Earlier, Harrods and Co-op also faced hack incidents, although they have had less of an impact than the M&S attack.

The National Cyber Security Centre (NCSC) is working with both M&S and the Co-op, while the Metropolitan Police's Cyber Crime Unit and the National Crime Agency (NCA) is investigating the M&S attack.

Related links

More on: S-RM
United Kingdom
Company profile
S-RM
S-RM is not a United Kingdom partner of Consultancy.org
Partnership information »
Partnership information

Consultancy.org works with three partnership levels: Local, Regional and Global.

S-RM is a not a partner of Consultancy.org.

Upgrade or more information? Get in touch with our team for details.

Send
What the Failure to Prevent Fraud Offence means for UK businesses
United Kingdom
What the Failure to Prevent Fraud Offence means for UK businesses From September 2025, the new Failure to Prevent Fraud Offence will require large companies to show a top-level commitment to fraud prevention.
21 April 2025
Ana Pereu joins S-RM to help lead UK disputes and investigations practice
United Kingdom
Ana Pereu joins S-RM to help lead UK disputes and investigations practice Leading global intelligence and cyber security consultancy S-RM has appointed of Ana Pereu as an associate director.
14 January 2025
S-RM appoints Rich Fogarty as Americas head of disputes and investigations
United Kingdom
S-RM appoints Rich Fogarty as Americas head of disputes and investigations S-RM has appointed Rich Fogarty as its new head of disputes and investigations practice in the Americas. Fogarty brings decades of experience to the newly created role.
09 December 2024
The lowdown on the Cyber Security and Resilience Bill
United Kingdom
The lowdown on the Cyber Security and Resilience Bill The Cyber Security and Resilience Bill is primarily focused on increasing the resilience of critical infrastructure by expanding the scope of current cyber regulations to protect more digital service
02 September 2024
Logistics firms neglect geopolitical risks in ESG plans
United Kingdom
Logistics firms neglect geopolitical risks in ESG plans Fewer than two-in-10 shipping and logistics firms consider geopolitical risks a part of their ESG programme.
08 August 2024
S-RM installs Tom Yoxall as head of restoration and recovery
United Kingdom
S-RM installs Tom Yoxall as head of restoration and recovery Global intelligence and cyber security consultancy S-RM has announced the appointment of Tom Yoxall to lead its recovery services practice.
15 July 2024
Fewer firms see cybersecurity technology as 'high value for money'
United Kingdom
Fewer firms see cybersecurity technology as 'high value for money' Businesses are increasingly aware that security technology is only as valuable to their goals as the people who use it.
30 November 2023
Ex-Deloitte director Ferry Noordzij to help S-RM drive growth in Europe
United Kingdom
Ex-Deloitte director Ferry Noordzij to help S-RM drive growth in Europe Global cyber security consultancy S-RM has appointed Ferry Noordzij as its director for Europe.
13 October 2023

Cyber Security news

Cyber Security consulting firms Cyber Security consulting services