Six Percent: The Supply Chain Number That Should Terrify Every Small Business in the UK
Every survey has a number that gets ignored. In the Cyber Security Breaches Survey 2025/2026, published by DSIT and the Home Office on 30 April 2026, the headline belongs to 43% of businesses breached and 612,000 organisations affected. Those are the numbers that generate the press coverage and the social media posts.
The number I care about is 6%.
Six percent of UK businesses formally review the cyber security risks posed by their wider supply chain. Not sixty. Six. Ninety-four percent of businesses have no formal process for examining whether the companies they depend on could be the vector that compromises them.
The Full Picture Is Worse Than the Headline
The survey breaks supply chain risk management into two tiers. Fifteen percent of businesses review the risks from their immediate suppliers: the companies they deal with directly. Six percent extend that review to the wider supply chain: the companies that their suppliers rely on.
The size gradient is stark. Forty-eight percent of large businesses review their immediate suppliers. Thirty percent of medium businesses do. Twenty-two percent of small businesses. Twelve percent of micro businesses. By the time you reach the small and micro end, where the majority of UK businesses sit, the figure is barely registering.
For the wider supply chain, the figures are even thinner. Large businesses sit at around 20%. Small businesses are in single digits. Micro businesses are essentially absent from the statistic.
This data exists in a context. SolarWinds compromised eighteen thousand organisations through a software update in 2020. Kaseya’s VSA platform was exploited to deliver ransomware to managed service provider customers in 2021. The MOVEit file transfer vulnerability exposed data from hundreds of organisations in 2023. ConnectWise ScreenConnect was exploited by state-sponsored actors targeting MSP customers. DragonForce demonstrated how RMM tools could be weaponised against entire client bases. These are not theoretical scenarios. They are documented, well-publicised, and repeatedly referenced in industry guidance.
After all of that, 94% of UK businesses still have no formal process for checking the wider chain.
Why This Number Matters More Than 43%
The 43% breach prevalence rate captures attacks against the organisation itself. The supply chain number captures something different: the organisation’s exposure to attacks it cannot see, cannot prevent directly, and may not learn about until the damage is done.
A business can invest in MFA, firewalls, staff training, and endpoint protection, and still be compromised because its payroll provider was running an unpatched system, or its CRM vendor had no MFA on admin accounts, or its outsourced IT helpdesk was socially engineered.
The supply chain number matters more because it represents an unmanaged dependency. The 43% of businesses that were breached at least know they were attacked. The businesses whose suppliers are compromised may not find out for weeks or months.
And when it does surface, the reputational and legal consequences land on the organisation that holds the customer relationship, not on the supplier in the background. If your booking system provider gets breached and your customer data spills, your customers do not care that the failure happened in someone else’s cloud. They know your logo, your invoice, your apology email.
What “Just” Means in Supply Chain Context
There is a telling word that comes up repeatedly when businesses discuss their suppliers: “just.” The payroll provider is just the payroll company. The CRM is just where we keep contact details. The helpdesk is just the outsourced IT support.
“Just” is the most dangerous word in supply chain security because it minimises the actual access these suppliers have. The payroll provider holds employee bank details, national insurance numbers, salaries, and home addresses. The CRM holds customer contact information, communication history, and potentially financial data. The outsourced helpdesk may have admin access to your entire Microsoft 365 environment.
When you say “just,” you are describing the supplier’s business function. When you should be thinking about is the data and access they hold. A supplier that can touch your data or your systems is part of your security story, regardless of how unexciting their function sounds.
The Small Business Blind Spot
The size gradient in the survey data is not surprising, but it is important. Large businesses are more likely to review suppliers because they have procurement teams, vendor management processes, and regulatory requirements that mandate it. Small businesses typically select suppliers based on cost, convenience, and personal recommendation.
Ask a small business owner how they chose their payroll provider and the answer is usually one of three things: their accountant recommended it, they found it online and liked the pricing, or they have been using it since the beginning and never questioned it. Ask the same owner what security controls that provider has in place and you will get a blank look.
This is not irresponsible. It is rational behaviour under information asymmetry. Small business owners are not security professionals. They have no framework for evaluating a supplier’s security posture, no standard questions to ask, and no benchmark against which to measure the answers. The supply chain review gap is not just about awareness. It is about capability.
The Cascading Failure Model
Supply chain incidents do not follow the same pattern as direct attacks. They cascade.
In a direct attack, the adversary targets your organisation specifically or opportunistically. The scope is bounded. The attacker accesses what you have. The damage is contained within your environment.
In a supply chain attack, the adversary targets the supplier, which provides a route into multiple downstream organisations simultaneously. The scope is multiplicative. One compromise becomes ten, or a hundred, or a thousand, depending on the supplier’s client base.
For a small business, this means the risk is not proportional to your own security investment. You can be exemplary in your own controls and still be exposed through a supplier whose security practices you have never examined. The survey’s 6% figure means this is the norm, not the exception.
What a Practical Supplier Review Looks Like
A full vendor risk management programme with questionnaires, on-site audits, and continuous monitoring is appropriate for large enterprises. It is not realistic for a twenty-person business. But there is a practical middle ground.
Identify your critical three. Not all forty-seven suppliers. The three that have access to your systems, your staff identities, or your customer data. For most small businesses, these are the Microsoft 365 or Google Workspace provider, the CRM or booking system, and the payroll or accounting platform.
Ask five questions. Send a brief email to each supplier with the following.
Do you require multi-factor authentication for all staff who can access our data or systems? Do you hold Cyber Essentials certification, ISO 27001, or equivalent? How would you notify us if you experienced a security breach affecting our data, and within what timeframe? Do you carry cyber insurance? Can you tell us where our data is stored and who has access to it?
Assess the responses. If a supplier answers promptly and clearly, that is a positive signal. If they struggle to answer, deflect, or do not respond, that tells you something important about their maturity. You are not conducting a formal audit. You are establishing a baseline.
Document the results. Keep a simple record of which suppliers you reviewed, when, what they said, and any concerns. This serves two purposes: it gives you a basis for future conversations, and it demonstrates to your own clients, insurers, and regulators that you take supply chain risk seriously.
Set a review cadence. Annual is sufficient for most small businesses. Add it to the same calendar slot as insurance renewal or annual accounts.
The MSP Question
The survey data on supply chain overlaps with a broader question about managed service providers. Twenty-seven percent of businesses cited external IT consultants or providers as their primary source of cyber security information. For small businesses, the IT provider is often the single most trusted and most access-privileged supplier in the chain.
This creates a concentration risk. If the IT provider is compromised, the attacker potentially gains access to every client environment the provider manages. The ConnectWise and Kaseya incidents demonstrated this precisely. Yet the survey suggests fewer than one in five small businesses are reviewing even their most critical suppliers.
If you use a managed IT provider, they should be the first supplier you review, not the last. Ask them every question on the list above, plus: what remote access tools do you use to manage our systems, and what security controls protect those tools?
How to Turn This Into a Competitive Advantage
The supply chain statistic is your most powerful differentiator because the bar is so low. If only 15% of businesses review their immediate suppliers and only 6% review the wider chain, conducting even a basic review puts you in a demonstrably small minority.
For businesses that act as suppliers to larger organisations, this is directly valuable. The survey shows 48% of large businesses review their immediate suppliers for cyber risk. If you are a small business serving a large client, they may already be asking, or will soon ask, about your security posture. Proactively sharing your security measures, including your own supplier review results, turns a compliance obligation into a sales conversation.
You can also use this as a retention tool. Clients who know you take supply chain security seriously are less likely to switch to a cheaper alternative that has never been asked the question.
How to Sell This to Your Board
The exposure is real and documented. 94% of businesses have no process for reviewing wider supply chain risk. This is not hypothetical; SolarWinds, Kaseya, MOVEit, and multiple MSP compromises prove the mechanism.
The review costs nothing. Five questions. Three emails. No external consultants required for the initial assessment.
Customer expectations are increasing. 48% of large businesses now review their suppliers. If your client base includes any medium or large organisations, the question is coming. Better to have the answer ready.
Insurance implications. As cyber insurance conditions tighten, demonstrating supply chain due diligence strengthens your claims position. Ignorance of supplier risk is increasingly difficult to defend.
What This Means for Your Business
-
Identify your three most critical suppliers this week. The ones with access to staff identities, customer data, or financial systems.
-
Send the five-question email to each. MFA, certification, breach notification process, insurance, data storage. Keep it brief and professional.
-
Document what comes back. A simple spreadsheet is sufficient. Supplier name, date reviewed, responses, concerns flagged.
-
Add supply chain review to your annual calendar. Same time as insurance renewal. One hour per year per supplier is enough to maintain a baseline.
-
If your IT provider manages your systems remotely, review them first. They hold the keys. They should be the easiest to assess and the most forthcoming with answers.