The most economically damaging cyber-attack in British history did not begin inside the company that suffered it. It began at a supplier.
When the 2025 attack on Jaguar Land Rover unfolded, the headline damage looked like a classic operational crisis: production halted across multiple sites, wholesale deliveries down by roughly a quarter year-on-year, a recovery that stretched into 2026, and a total cost estimated at close to £1.9 billion - serious enough to warrant a government loan guarantee and to ripple through some five thousand organisations in the supply chain. Yet the entry point, according to public reporting, was not a weakness in JLR's own defences. It was a vulnerability in a third-party enterprise platform used by one of its suppliers.
Sit with that for a moment, because it dissolves a distinction most manufacturers still organise themselves around. The disruption was operational. The cause was cyber. The doorway belonged to someone else. And the effect on the factory floor was the same as if the line itself had failed.
Two conversations that used to be separate
For decades, manufacturers have run supply-chain risk as two entirely separate conversations, in two different rooms, owned by two different functions.
One is about operations: disruption, lead times, single-source dependencies, the cost of a delayed shipment, the efficiency of the whole flow. It lives with procurement and operations leaders, and it is measured in days lost and margin eroded. The other is about security: which of our suppliers could be a way into our systems, what happens if one of them is breached, how do we vet them. It lives with IT and security, and it is measured in vulnerabilities and controls.
That separation made sense when a supplier was a supplier and a network was a network. It no longer reflects how manufacturing actually works. Suppliers are now connected to your systems, your data, and increasingly your plant floor. And once that is true, the wall between the two conversations becomes a liability - because the risks flow freely across it while the teams managing them do not.
Why they are now the same problem
Here is the shift that leadership teams need to internalise. In a digitally connected supply chain, a supplier's failure reaches your operations the same way regardless of what caused it.
If a key supplier cannot deliver, it does not much matter to your line whether they were taken down by ransomware, a systems outage, a fire, or a logistics collapse. The consequence is identical: the part does not arrive, the order does not ship, the process cannot run. Cyber risk has become operational risk, and operational continuity has become a security concern. They are not two problems that happen to be related. They are one problem seen from two angles - which is precisely how we have argued visibility and OT security turn out to be the same discipline, and how data readiness underpins everything built on top of it.
The wider evidence backs this up, and it is stark. Third-party involvement in breaches doubled in a single year to around thirty per cent - the largest year-on-year jump on record. A supply-chain compromise now takes the longest of any breach type to detect and contain, running to hundreds of days and millions in cost. In Europe, regulators place supply-chain risk among the top threats that manufacturing must address under NIS2. And in manufacturing specifically, these incidents no longer merely leak data; they stop production. The attacker's logic is simple and ruthless: compromise one supplier that many companies share, and you reach all of them at once.
You cannot manage a supply base you cannot see
The uncomfortable truth beneath all of this is a familiar one. Most manufacturers have reasonable visibility into their tier-one suppliers and almost none beyond. The dependencies that would actually bring the business down - the shared platform three tiers deep that a hundred of your suppliers quietly rely on, the single vendor whose compromise would cascade through your whole ecosystem - sit in a blind spot.
That blindness is expensive in exactly the way it was on your own plant floor. You cannot protect what you cannot see, and you cannot keep running what you cannot see either. Concentration risk hides in shared services and nth-party relationships that no supplier questionnaire ever surfaces. And the timing works against you: with breaches now taking months to be disclosed, waiting for a supplier to tell you they have been compromised is not a strategy - by the time the notification arrives, the damage has long since started to flow downstream.
Periodic assessment cannot defend against a risk that moves continuously. An annual security questionnaire is a photograph of a moving target.
What resilience actually requires
Building genuine resilience means refusing the old separation and treating the supply chain as one thing to be understood, monitored and planned for - across both its operational and its security dimensions. In practice, that comes down to a handful of disciplines.
It starts, as it always does, with a map - but a map that reaches beyond tier one to expose concentration risk and single points of failure. You cannot plan around dependencies you have never charted. From there, suppliers are treated as part of both your attack surface and your operational continuity plan, assessed once against both lenses rather than twice in separate silos. Point-in-time questionnaires give way to continuous monitoring, so that a change in a supplier's risk posture reaches you in something closer to real time than to next year's audit cycle.
Underneath all of it sits the data foundation that makes early warning possible at all. Real-time insight into supplier performance, disruption signals and risk indicators depends on being able to bring that data together and trust it - the same connected, governed layer that makes any other kind of operational intelligence work. And when something does go wrong, resilient manufacturers have already integrated their key suppliers into their incident-response and recovery planning: clear escalation paths, shared communication channels, joint exercises run before the crisis rather than during it.
Established frameworks - the NIST Cybersecurity Framework, ISO standards, and the growing expectation around software bills of materials and NIS2 - give this work a recognised structure. But the frameworks are scaffolding, not the building. The goal is not compliance with a standard; it is the ability to absorb a shock in one corner of the supply base without it becoming a crisis across all of it.
The efficiency dividend
There is a reason this is worth doing beyond avoiding catastrophe, and it is the reason the operations side of the business should care as much as the security side. The very visibility that reduces cyber and third-party risk is the same visibility that reduces operational risk and cost. Knowing your dependencies, seeing disruption signals early, and being able to respond quickly does not just protect you from the rare, ruinous event. It makes the everyday supply chain run better - fewer surprises, better forecasting, faster recovery when the ordinary things go wrong.
This is the point manufacturers most often miss: resilience and efficiency are not a trade-off. The investment that buys one buys the other. A supply chain you can see clearly is both safer and cheaper to run.
Resilience is visibility, applied to everyone you depend on
The manufacturers who come through the next few years strongest will not be the ones with the fewest suppliers or the tallest walls. They will be the ones who can see across their supply base clearly enough - operationally and from a security standpoint, as a single picture - to take a hit in one place without it spreading everywhere.
That is what resilience really is. Not the absence of risk in a supply chain that no longer permits it, but the visibility and preparedness to contain risk when it arrives. It is the same principle that governs a secure plant floor, a trustworthy data layer and a rationalised estate, extended outward to everyone your business relies on: you cannot protect, run or recover what you cannot see.
At VE3, we help manufacturers build that single, connected view of their supply chain - mapping dependencies, bringing operational and security risk into one picture, and creating the data foundation that turns supplier visibility into early warning rather than hindsight. If your supply-chain risk still lives in two separate conversations, bringing them together is where resilience begins.
VE3 helps manufacturers and industrial operators build resilient, visible and intelligent supply chains - uniting operational continuity and third-party security on a single data foundation. Talk to us about a supply-chain resilience assessment.


.png)
.png)
.png)



