Make 2025 the Year of Supply Chain Resilience—Not Cyber Risk

The nature of supply chain has always been about managing complexity – moving goods, data, and resources across a complicated web of vendors and suppliers. But as processes increasingly become digitalised, so do the risks. From phishing scams to ransomware attacks, the supply chain is becoming a playground for cybercriminals.

This article breaks down the most common cyber threats we saw in 2024, why Procurement is seen as a key target, and the steps you can take to secure your supply chain in the year ahead.

Cyber threats are massive business risks, with estimations around the average cost of a data breach varying across regions. According to IBM, globally, the average cost reached $4.88 million in 2024, marking a 10% increase from the previous year. In the United States, Statista puts this figure notably higher, averaging $9.36 million. While these figures vary, it’s clear that the financial impact can be substantial. And this doesn’t even account for indirect costs such as reputational damage and customer trust erosion.

In fact, over the past few years, the frequency of cyber-attacks has been escalating. For example, in 2022, the UK experienced a 77% increase in overall cyber-attacks compared to the previous year. While specific data for 2024 is not yet available, the trend suggests a continued rise in cyber attacks globally and within the UK.

Why Is Procurement a Target?

For those in procurement, the risks are particularly acute. They’re responsible for managing sensitive data and maintaining relationships with vendors, often in environments ripe for exploitation. Weak vendor security, database vulnerabilities, and common human errors create opportunities for cyber threats to infiltrate and disrupt business operations.

Here is a just small sample of supply chain related breaches that made headlines throughout 2024:

Stop & Shop’s supply chain disruption

In November, Stop & Shop faced product shortages after a cybersecurity incident disrupted its supply chain and delivery operations. This led to empty shelves and limited availability of fresh produce, meat, and dairy products across multiple US states. 

Blue Yonder ransomware attack

System outages and operational issues plagued retailers like Starbucks and UK grocers Morrisons and Sainsbury’s following a ransomware attack on their supply chain software provider, Blue Yonder.

Expeditors International cyberattack

A February cyberattack on Seattle-based Expeditors International brought its global systems to a standstill, forcing the company to take most of its operating systems offline. “While our systems are shut down we will have limited ability to conduct operations, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments,” the company stated.

Exploiting the Weak Links

It’s clear that cybercriminals are exploiting every link in the supply chain. Here’s where they hit hardest:

• Phishing scams | Emails pretending to be from trusted suppliers trick procurement managers into sharing data or approving fake payments.
• Ransomware | Malware that locks systems until a ransom is paid – not ideal for organisations reliant on real-time supply chain operations.
• Man-in-the-middle attacks | Hackers intercept communications between suppliers and buyers, altering payment details to redirect funds.
• IoT vulnerabilities | Sensors and smart devices in warehouses or transport systems are prime targets for cybercriminals looking to disrupt operations.
• Human error | Even the best systems can fail if an employee clicks the wrong link or uses “123456” or “qwerty” on a shared database.
• Double brokering | These scams exploit freight transactions by impersonating legitimate carriers. Scammers win bids, subcontract jobs to lower-cost carriers, and vanish with the profits, leaving unpaid carriers and damaged reputations in their wake.

The Most Common Venues for Cyber Attacks

Digital transformation has made great strides in streamlining procurement, but it’s also opened up new vulnerabilities. Procurement teams should keep an eye on these common entry points for attacks:

• Cloud platforms | Misconfigurations or poor encryption can expose sensitive data shared with suppliers.
• Databases | Centralised procurement records are a goldmine for attackers, holding everything from vendor contracts to financial information.
• Social media | Hackers exploit public-facing interactions to gather intelligence or impersonate suppliers.
• PDF invoices and emails | Seemingly harmless documents can carry malware, bypassing basic defences.

Six Steps to Secure your Supply Chain in 2025

If you are ready to make 2025 the year to strengthen your cybersecurity posture, here are seven steps to consider:

Conduct regular risk assessments

Regularly evaluate your suppliers’ security measures, focusing on their software usage, cloud services and data storage practices.

Collaborate with IT teams

Work closely with your IT department to thoroughly vet your platforms and connected tools, ensuring they continue to meet security standards.

Limit access permissions

Grant system access only to essential personnel. Reducing access points minimises potential vulnerabilities.

Encrypt sensitive data

Implement advanced encryption methods for all data exchanges between procurement systems and suppliers.

Develop a robust incident response plan

Create and regularly test an incident response plan to ensure your team is quickly able to contain and mitigate attacks.

Stay informed about emerging threats

New threats and risks are popping up all the time, so keep your knowledge current by subscribing to industry updates and provide ongoing training to employees to help them recognise and avoid phishing and other cyber threats.

Securing the Future of your Supply Chain

Supply chains are only getting more complex, but that doesn’t mean they have to stay vulnerable. With the right strategies – smarter tools, stronger collaboration, and a proactive mindset – cybersecurity can become a strength, not a stressor in 2025.