An IBM report for 2025, conducted by the Ponemon Institute, has identified supply chain breaches as the most financially damaging cyber threat facing UK organisations. According to the study, third-party and supply chain compromises now cost UK businesses an average of £241,620 per incident and take an industry-leading 267 days to resolve, outpacing even insider attacks. AJ Thompson, Chief Commercial Officer of IT consultancy Northdoor, points to a disconnect: while organisations ramp up investment in perimeter security, too many neglect the vulnerabilities posed by suppliers and external partners.
The report also reveals a worrying lack of alignment between rapid Artificial Intelligence adoption and the implementation of effective cybersecurity controls. Although companies deploying Artificial Intelligence and automation in their security operations cut global breach costs by nearly £900,000 and shortened breach lifecycles by 80 days, UK adoption remains low. Just 31% of businesses have introduced significant Artificial Intelligence-powered automation, and shadow Artificial Intelligence—unsanctioned tools used by staff—now accounts for 20% of all breaches, often exploiting ungoverned access. Critically, 97% of Artificial Intelligence-related security incidents hit organisations without proper access controls, and 11% of those surveyed could not determine the role Artificial Intelligence played in their breaches.
Speed in detecting and containing threats remains the most important cost driver. Breaches detected and contained within 200 days cost UK organisations £2.84 million on average, compared with £3.74 million for slower responses. Sector analysis shows financial services in the UK face the highest individual breach costs (£5.74 million), followed by technology and services sectors. Thompson contends that the real issue is not lack of expertise within internal IT teams, but under-resourcing. He urges organisations to enlist external consultancies to shore up supply chain security and bring Artificial Intelligence deployments under robust governance, citing the expanding threat landscape and increasingly complex digital ecosystems.
