Supply chain security risks create the highest costs for UK CISOs in 2025
The IBM 2025 Cost of a Data Breach report reveals a stark reality for UK security leaders. Supply chain breaches now represent the most expensive factor driving up data breach costs, adding £241,620 to the average incident cost.
UK organisations face a critical challenge. Cybercriminals consistently find the path of least resistance to reach their primary targets. While many companies strengthen frontline defences, attackers exploit third-party vulnerabilities as their preferred “backdoor” entry method.
The complexity of supply chain attacks extends beyond initial costs. Third-party vendor compromises create the longest data breach lifecycle globally, averaging 267 days to resolve, a full week longer than malicious insider attacks.
Data breach costs drop but concerns remain for security leaders
The average cost of data breaches decreased for the first time in five years, dropping from $4.88 million in 2024 to $4.44 million globally in 2025. UK organisations saw costs fall from £3.40 million to £3.29 million.
This reduction masks underlying concerns that security professionals must address. The financial sector leads UK breach costs at £5.74 million per incident, followed by technology (£4.93 million) and services (£4.80 million).
Speed of containment directly impacts financial outcomes. UK companies containing breaches within 200 days average £2.84 million in costs. Those taking longer face costs rising to £3.74 million.
Third-party security risks compound shadow AI vulnerabilities for CISOs
Shadow AI presents a growing threat to UK organisations. Unsanctioned employee use of AI tools accounts for 20% of security breaches, seven percentage points higher than sanctioned AI incidents.
The scale of the problem becomes clear through the numbers. 69% of UK organisations have little or no AI security automation in place, creating significant exposure to increased breach costs.
Security incidents involving AI often originate from third-party vendors, with 29% delivered through Software-as-a-Service platforms. This connection between AI vulnerabilities and supply chain risks compounds the challenge for security teams.
The uncertainty factor adds another layer of complexity. 11% of organisations remain unsure whether incidents originated from shadow AI use, highlighting the detection and monitoring gaps many companies face.
AI security automation reduces breach costs by £670,000
Organisations using AI extensively within security operations demonstrate clear cost advantages. These companies average £3.11 million per breach compared to £3.78 million for organisations without AI security automation.
The global data shows even stronger benefits. Extensive AI and automation use saves organisations $1.9 million in breach costs and reduces the breach lifecycle by 80 days.
The challenge lies in implementation. 97% of organisations experiencing AI-related security incidents lacked proper AI access controls, creating a dangerous gap between AI adoption and security governance.
Third-party IT consultants address resource constraints
Internal security teams struggle with resource limitations despite understanding the threats they face. The sophistication and volume of cybercriminal attacks continue to increase, stretching internal capabilities.
Third-party IT consultancies fill critical gaps in internal teams. These partnerships provide access to specialised expertise needed to combat evolving threats from both internal and external sources.
Expert consultants help organisations identify threats, implement new security solutions, highlight supply chain vulnerabilities, and maintain compliance with complex regulatory requirements. This comprehensive support reduces breach probability and associated costs.
Frequently asked questions about supply chain security risk
Q: What are the main drivers of data breach costs in 2025?
Supply chain vulnerabilities represent the primary cost driver for UK organisations, adding £241,620 to average breach costs. The extended resolution timeline of 267 days for third-party compromises significantly increases total incident costs.
Shadow AI emerges as another major factor, accounting for 20% of security breaches. The uncontrolled use of AI tools by employees creates detection challenges and increases vulnerability exposure.
Resource constraints within internal security teams limit organisations’ ability to address sophisticated threats. The gap between threat complexity and internal capabilities drives up both breach likelihood and associated costs.
Q: How can CISOs mitigate supply chain security risks?
Identifying vulnerabilities within supply chains represents the critical first step for most organisations. Without comprehensive insight into third-party risks, investments in frontline defences lose effectiveness.
CISOs must implement robust vendor assessment processes and continuous monitoring capabilities. Regular security audits of critical suppliers help identify potential weaknesses before they become exploitation opportunities.
Establishing clear security requirements for all third-party relationships creates accountability and shared responsibility for protection. Contractual obligations should include incident response procedures and breach notification timelines.
Q: What controls should CISOs implement for AI security?
Organisations must establish clear governance frameworks for AI tool usage before implementation spreads further. Proper access controls prevent the security gaps that affect 97% of organisations experiencing AI-related incidents.
Employee education programmes help staff understand approved AI tools and the risks associated with unsanctioned alternatives. Clear policies defining acceptable use create boundaries for safe AI adoption.
Regular auditing of AI tool usage across the organisation identifies shadow AI implementations. Discovery tools and network monitoring help security teams maintain visibility into actual AI deployment versus approved usage.
Q: How long do data breaches take to resolve?
Third-party vendor and supply chain compromises require the longest resolution time, averaging 267 days from initial compromise to full resolution. This extended timeline increases costs through prolonged business disruption and ongoing investigation requirements.
Malicious insider attacks take slightly less time to resolve, at 260 days. The internal nature of these threats often complicates investigation and remediation efforts.
Organisations with strong incident response capabilities and proper preparation can significantly reduce these timelines. Preparation, detection capabilities, and response procedures directly impact resolution speed and associated costs.
Interested in developing a comprehensive cybersecurity strategy for your organisation? Contact us to speak with our experts.