Complacency in supply chain cybersecurity could be your biggest risk

'Making cyber requirements contractual creates clear accountability’

Every organisation, no matter their resources, can fall victim to a cyberattack, and companies are showing more wishful thinking than confidence in their supply chain security. Here’s how to properly protect yourself, writes Apollo Tyres’ CDO Hizmy Hassen.

Recent cyberattacks on household names such as Nikkei and Jaguar Land Rover have underlined the fact that no organisation is too big or too well-resourced to be targeted.

The Jaguar Land Rover cyberattack led to a five-week shutdown, slashed UK car output that cost the economy an estimated £1.9 billion, and left thousands of suppliers scrambling.

An overlooked risk often lies beyond a company’s walls in its supply chain, as seen in the Marks & Spencer incident, where a breach via a third-party contractor turned a single supplier weakness into a wider supply chain cyberattack affecting other supermarkets.

Yet the latest State of Supply Chain Security report found that 94% of organisations are confident they could respond to a supply chain attack, and around a fifth believe they would not be affected if a key supplier was unable to operate for five days.

Set against those case studies, too much confidence in cybersecurity looks less like resilience and more like wishful thinking. This is reinforced by the UK government’s latest Cyber Security Breaches Survey, which found that just over one in ten businesses review the risks posed by their immediate suppliers, and under one in ten look at their wider supply chain.

At Apollo Tyres, we start from a different assumption of how an incident is a question of when, not if. That mindset has led us to treat cyber resilience as a strategic priority.

Turning supplier onboarding into a security control

Too often, businesses’ overconfidence with their suppliers starts at the very beginning of the relationship. Once a supplier is signed and integrated, they are treated as “trusted” by default, even if nobody has really tested how they manage security. In a manufacturing environment, where suppliers plug directly into planning, logistics and production systems, that is the wrong way round.

Supplier cybersecurity has to be a gate at onboarding, and at Apollo Tyres, we treat it exactly that way. Every new supplier completes a detailed security assessment that covers encryption standards, access controls, compliance and incident response.

In addition, we ask to see recent vulnerability and penetration test reports, ISO 27001 certification and SOC 1 or SOC 2 reports. We reinforce this with contractual clauses on breach notification, confidentiality and the handling and storage of sensitive data.

Across the industry, too few manufacturers build explicit cyber resilience requirements into their supplier contracts. Making these requirements contractual creates clear accountability for cyber-related disruptions, and compels suppliers to maintain adequate cyber insurance and robust security controls. These clauses are still relatively new in many supply chains, but must become standard practice.

It’s especially important for high-risk suppliers. That’s why, before they can touch Apollo Tyres’ systems, we also expect secure access controls, continuous verification in line with zero-trust principles, and mutual transport layer security. Particular attention is also paid to suppliers that connect to us via electronic data interchange (EDI), such as logistics partners and freight providers.

Other manufacturers have their own approach, but when you use onboarding to set and verify security standards, you start the relationship with risk you can actually manage.

Mapping and mitigating supplier vulnerabilities

Once a supplier is in the door, the next challenge is to identify exactly where they sit in your digital ecosystem. For many manufacturers, supply chains now involve intricate combinations of AI-driven systems across multiple partners. That complexity creates numerous potential weak points and makes it hard to see and standardise security.

The first step is to make those dependencies visible. Map out which partners are critical to which plants and customers, which systems are connected, and what data flows in each direction. If you model the impact of a key supplier being offline for a week, the single points of failure reveal themselves very quickly. This informs how you plan and rehearse your response with the most critical suppliers.

Manufacturers should increase investment in independent external assessments of those partners, including targeted penetration tests and “white-hat” exercises. At a time when cyber insurance premiums are rising, being able to evidence that kind of proactive testing can lead to more favourable conversations with insurers.

If a cyberattack, such as ransomware, does get through, both IT and operations need a clear, detailed incident response plan, with suppliers treated as part of the same response unit rather than bystanders.

Yet even at a basic level, incident planning is far from universal. UK government figures show almost half of medium businesses and a quarter of large organisations lack a formal incident-response plan. That gap could be even wider when it comes to supplier-integrated planning, which is why we work with suppliers on joint incident planning, ensuring they follow our playbooks as closely as our internal teams. We also have simulated cyber drills, running supply chain attack simulations to test how well that playbook works.

Both with suppliers and internally, AI can help detect and respond to threats and attacks. Next-generation security and incident management platforms and managed detection and response services use AI-driven analytics to detect anomalous behaviour, insider threats and AI-enabled attacks such as deepfake phishing. These systems help security teams to mitigate the impact of incidents. Automated incident triage correlates multiple alerts, reduces false positives and speeds up attack identification, which in turn shortens response times and eases alert fatigue for security teams. While three-quarters of global organisations have now integrated AI into their cybersecurity strategies, a significant minority still have yet to, even as AI-enabled attacks accelerate.

Keeping pace with evolving threats

As threat actors modernise, the software and operating systems that run across all manufacturing plants are constantly ageing. We have all seen machines stuck on outdated operating systems that can no longer take current antivirus or protection software, forcing us to invest in upgrades and, in some cases, to update the applications before we can even move to a newer platform.

Cybersecurity is not a one-off project; it is an investment cycle.

That logic has to extend to suppliers as well. A risk assessment that was accurate two years ago will not reflect today’s threat landscape, so manufacturers need to revisit high-risk suppliers on a regular basis.

The exact cadence will vary by sector and risk profile, but critical partners should never go years, or even months, without scrutiny. That means running in-depth assessments on those suppliers, often led by external specialists, to identify new vulnerabilities in both IT and operational technology.

Just as important as finding issues is fixing the root cause, whether that is an unsupported operating system, overly permissive access controls or a training gap on the factory floor. The goal is to keep cyber risk front and centre for every function, not just the IT or security team.

Ultimately, this all comes back to governance. According to the UK government, the share of businesses with a board member responsible for cybersecurity has fallen from 38% in 2021 to 27% in 2025, even as supply chain risk grows. That trend is heading in the wrong direction.

At Apollo Tyres, oversight of cybersecurity sits with our board, with operational authority delegated to the digital function. Our Global Head of IT Infrastructure and Cybersecurity reports directly to our team.

Responsibility should not just lie in the IT department, but across all functions. Awareness of risk and cultivating a culture of vigilance are key to reducing the risk of one of the greatest corporate threats of our time.

Hizmy Hassen is Chief Digital Officer of Apollo Tyres.