Firms urged to step up AI & supply chain cyber defences

Cybersecurity Awareness Month is drawing attention to the expanding risks that businesses face as artificial intelligence and third-party relationships reshape the threat landscape across the United Kingdom and beyond.

Industry experts are urging organisations to take a broad view of cyber defences, reflecting on the latest wave of attacks and the need for ongoing, adaptive resilience that moves beyond legacy approaches and traditional compliance requirements.

Changing nature of risk

Recent cyber-attacks have highlighted how threats are evolving, with increasingly sophisticated methods and attack vectors placing pressure on established security strategies. Reports of multi-million-pound losses and supply chain disruption underline the urgency for businesses to reassess their defences.

According to John Linford, Security Portfolio Forum Director at The Open Group, the current climate demands a more rigorous and ongoing security approach:

"To drive resilience, businesses should look to the strategy of Zero Trust to strengthen their security position, implementing the ongoing evaluation of actions with the mindset that all hold risk and require deliberate decision-making about that risk (i.e., accept, mitigate, transfer). At present, though 96% of corporations have or intend to incorporate a Zero Trust approach into their security strategy, only 35% are in the active implementation stage."

Linford noted that, without clear standards and shared understanding, progress on implementing robust Zero Trust strategies would remain inconsistent. He emphasised the importance of open standards to provide clear guidance and foster a more agile, future-ready security framework.

Expanding attack surface with AI

The emergence of AI within enterprise environments is extending the potential attack surface. Karthik Swarnam, Chief Security and Trust Officer at ArmourCode, notes that the adoption of AI tools means nearly every employee is now in a position to create or automate business functions, thereby intensifying the need for broader awareness and preparation.

"As AI enables nearly every employee to build or automate solutions in some form, secure coding practices can no longer be confined to traditional developer teams. Training must evolve to give all employees the same secure-by-design rigour, to make sure innovation doesn't come at the expense of resilience."

Swarnam stressed the importance of distinguishing between approved corporate AI tools and unauthorised 'shadow' applications, suggesting that governance must keep pace with workplace technology adoption. Effective risk management, timely remediation, and sustaining long-term resilience should be prioritised over meeting the minimum compliance standards.

Third-party and supply chain threats

The latest breach involving Renault UK has underscored how vulnerabilities among suppliers and partners can lead to extensive consequences for entire organisations. Steve Cobb, Chief Information Security Officer at SecurityScorecard, observed that while businesses have traditionally focused on internal controls, attackers are increasingly looking for weaknesses among external partners.

"The Renault breach is yet another reminder that attackers are no longer just breaking in through the front door, they're sneaking in through trusted third-party suppliers, many of whom companies have trusted and relied on for years. As highlighted in both our recent French and UK cybersecurity reports, 98% of companies in those countries have experienced a third-party breach, and supply-chain exposure remains one of the biggest risks facing enterprises in Europe today."

Cobb advocates for continuous monitoring of vendors and partners, not just periodic reviews or annual audits, as well as the adoption of real-time breach alerts and a zero-trust approach to all vendor access. He added that supply chain risks demand urgent, ongoing action rather than reactive, checklist-driven procedures.

Awareness as a catalyst for action

Corian Kennedy, Senior Manager of Threat Insights & Attribution at SecurityScorecard, described Cybersecurity Awareness Month as an important prompt for businesses to evaluate their real security posture. Kennedy called for organisations to prioritise real-time risk insight, covering both internal and third-party domains, as a foundation for stronger defences and accelerated decision-making.

"Awareness is an important phase of a larger process to pivot from reacting to successful threats to defensive action... Start by prioritising the real-time insight into their cyber posture, including third-party risk. This clarity allows for faster decisions, stronger defences, and measurable progress. Once you can see the risk, you can reduce it."

Data from recent reports by SecurityScorecard indicates the prevalence and increasing cost of third-party breaches. At the same time, field observations reveal a slow adoption pace of practices such as Zero Trust frameworks, despite organisations establishing them as strategic priorities.

Industry professionals consistently emphasise that the evolving threat landscape, evolving workplace technologies, and interconnected supply chain relationships necessitate a unified commitment to transparent risk management and adaptive resilience across all business operations.