
The Hidden Blast Radius of Supply Chain Attacks
Oct. 7, 2025
The recent cyberattack affecting Jaguar Land Rover and other major companies reveals a critical vulnerability facing businesses today: the complex web of third and fourth-party relationships that create unexpected security exposure. This isn't just a problem for automotive giants. Companies of all sizes face similar risks from their interconnected supplier ecosystems. Understanding and managing this "blast radius" has become essential for effective cybersecurity governance.
The Evolving Supply Chain Threat
In late 2025, multiple high-profile companies including Jaguar Land Rover, Marks & Spencer, and The Co-operative Group experienced significant cyber disruptions within a short timeframe. What initially appeared as separate incidents turned out to share a common thread. All were serviced by the same third-party provider, Tata Consultancy Services (TCS).
Intelligence sources have attributed these incidents to Scattered Spider or related affiliates, threat actors specifically targeting identity and managed service providers. The pattern reveals how shared-service concentration can transform a single provider relationship into a cross-industry vulnerability.
Beyond Tier 1: The Fourth-Party Reality
Most businesses diligently assess their immediate vendors but remain blind to the extended supply chain. Your direct vendors might have strong security practices, yet their dependencies create vulnerabilities you cannot see. These include hyperscalers, identity platforms, and managed service providers they rely on.
These "fourth parties" operate several layers below your contracts but can directly impact your operations when compromised. The recent attacks demonstrate how a single compromise can cascade across business ecosystems that none of the affected companies directly controlled.
No amount of first-tier questionnaires could have surfaced these connections. This wasn't a compliance failure but a scope failure, a fundamental gap in how we conceptualize supply chain risk.
The Alarming Scale of the Problem
Supply chain attacks have risen dramatically, with recent data showing a 25% increase since late 2024. According to Cyble research, April 2025 alone saw 31 documented supply chain attacks, with the trend continuing to accelerate. These attacks targeted 22 of 24 industry sectors, with IT and telecommunications companies bearing the brunt (63% of incidents).
The financial impact is equally concerning. The global average cost of a data breach now exceeds $4.45 million, a 15% increase over three years. With worldwide cybercrime costs projected to reach $10.5 trillion annually by 2025, the economic stakes could not be higher.
Recent incidents demonstrate the evolving sophistication of these attacks. In September 2025, a massive attack targeted 18 widely used npm packages with over 2.6 billion weekly downloads, while other attacks have leveraged vulnerabilities in HR software, electronic design tools, and artificial intelligence platforms.
Building Supply Chain Resilience
Traditional vendor management approaches create dangerous visibility gaps that modern security programs must address. The first step is recognizing that your security perimeter extends far beyond your direct relationships.
Effective supply chain security begins with identifying your most business-critical vendors and requesting information about their key dependencies. External attack-surface tools can help cross-map common service providers across your vendor ecosystem, revealing shared dependencies that might create concentrated risk.
Companies need to shift from simple vendor management to ecosystem governance. This means treating shared providers as critical infrastructure and tracking supplier concentration as a board-level metric. It includes aligning with frameworks like NIST CSF 2.0 and ISO 27036 for multi-tier supplier security.
From Assessment to Action
Visibility alone doesn't reduce risk. Once you've mapped your extended supplier network, you need practical methods to measure and prioritize real exposure. This includes scoring each fourth-party on business dependence, shared concentration, and threat exposure.
NIST Special Publication 800-161 provides guidance on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain. The framework emphasizes that supply chain security requires looking beyond the finished product to examine its components and the entire journey those components took.
Effective practices include:
- Developing a comprehensive Software Bill of Materials (SBOM) for critical applications
- Implementing strong authentication for both users and machines across your supply chain
- Conducting regular security audits and penetration testing
- Monitoring for unusual activity with SIEM tools and data loss prevention
- Securing the continuous integration and development (CI/CD) process
- Establishing incident response protocols for supply chain disruptions
Smart companies are now developing early warning systems for vendor ecosystem vulnerabilities and building collaborative defense strategies with key suppliers. They're also looking beyond compliance to quantify potential financial or operational losses if key providers fail.
The Path Forward
The next major disruption to your business likely won't start in your security operations center. It will emerge three contracts away, in a relationship you might not even know exists. Forward-thinking security leaders are now mapping dependencies one layer deeper than their comfort zone, elevating ecosystem risk to the same priority level as internal security controls.
In this interconnected business environment, resilience depends not just on your security practices but on the extended web of trust that keeps your operations running. By expanding your visibility and governance beyond traditional boundaries, you can better protect your company from the hidden blast radius of supply chain attacks.
As we've seen from recent incidents, what appears to be separate security events often turns out to be one attacker exploiting shared dependencies across multiple industries. The question isn't whether your business is vulnerable to these cascading risks. It's whether you can see them coming.