For years, organisations have treated cyber security as something that happens within their own walls. Protect the network, secure the endpoints, monitor the environment. Job done.
Security was architected like a moat and castle, but today the model is no longer effective.
Today, the real exposure sits outside the organisation. It sits in third parties, fourth parties, and the vast network of suppliers across the world that modern businesses depend on.
As organisations scale and digitise, supplier ecosystems have expanded rapidly. What was once a handful of trusted partners is now hundreds, sometimes thousands. Whether cloud services, SaaS platforms, outsourced functions or offshore development teams, enterprise environments are growing in scale, but equally in vulnerability.
Each supplier represents a point of access, and therefore introduces risk.
The rapidly expanding global attack surface
The challenge is no longer just about whether an organisation’s own environment is secure. It is whether it truly understands who has access to its data, where that data resides, and how it is being handled across a globally distributed supply chain.
Furthermore, as an organisation’s partner ecosystem becomes global in nature, it also increases vulnerability to geopolitics.
Supply chains are no longer just commercial relationships. They are shaped by political tension, regional instability, and shifting alliances between nations.
A supplier is no longer just a supplier. It is a potential point of exposure tied to a specific geography, jurisdiction, and risk profile.
If an organisation is heavily reliant on a particular region, what happens when that region becomes unstable? What happens if access is disrupted, or if that supplier becomes compromised?
We have already seen these risks arise during the Ukraine conflict.
Organisations far removed from the conflict found themselves impacted through indirect connections. Third and fourth party relationships became entry points. Systems were disrupted not because they were targeted directly, but because they were connected.
This is the reality of modern cyber risk. It is interconnected, unpredictable, and often indirect.
And yet, many organisations still approach supply chain security in a way that is either too simplistic or too ambitious.
On one end of the spectrum, there is the idea that everything must be tightly controlled, localised, and contained within national borders. In practice, this is rarely feasible. Globalisation has made supply chains too complex and too interdependent to unwind.
On the other end, there is a tendency to treat all suppliers equally, applying blanket assessments that fail to reflect actual risk.
Neither approach works.
So, what steps can organisations adopt to improve the security of their global supply chains?
Securing global supply chains
What is needed instead is pragmatism.
Not every supplier requires the same level of scrutiny. A provider with access to sensitive systems or data should be treated very differently from one delivering low-risk services. The priority must be understanding which relationships truly matter to the operation of the business.
Which suppliers, if compromised, would cause real damage? Which ones have access to your most critical assets?
These ‘tier one’ suppliers are the ones that require deeper assurance. More rigorous questioning, greater visibility, more controlled and monitored access as well as deeper knowledge of their security posture.
That means going beyond surface-level questionnaires and taking time to understand why access is required, who uses it, how it is controlled, and whether it is still justified over time. It means embedding security into procurement processes from the outset, rather than trying to retrofit it later.
Because once a supplier is embedded, challenging access becomes significantly harder.
Cyber security is no longer confined to internal systems. It is shaped by external dependencies, geopolitics, and decisions made far beyond the organisation’s immediate control.
As the once-safe network perimeter continues to dissolve, it is essential for organisations to take time to understand these risks and modernise their defences, ensuring security runs across every border, regardless of where that border may be.
Ben Morris, Head of Cyber Security Operations at the Home Office, is speaking at DTX Manchester on 29th – 30th April 2026.
Ben will speak on the Main Stage for a session discussing ‘The new border reality: Confronting geopolitics, data sovereignty, and supply chain risk.’
Join him on Thursday 30th April – 11:15AM – 12:00PM
