CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom
Guides
#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
healthtech
Search
#
Ransomware
#
Cybersecurity
#
Business Continuity

Exclusive: CyXcel urges UK firms to rethink supply chain risk

Today
Author image
By Melania Watson, Interview Editor

Cybercriminals are shifting focus from direct attacks on businesses to exploiting the vulnerabilities in their suppliers - and many UK organisations are dangerously unprepared.

That's the stark warning from Ngaire Guzzetti, Technical Director of Supply Chain at cybersecurity consultancy CyXcel.

"We're increasingly seeing threat actors go after suppliers rather than the end organisation," she explained to TechDay during a recent interview.

"If they compromise one supplier that connects to multiple clients, they gain access to an entire ecosystem."

Recent attacks on M&S, Harrods and the Co-op - reportedly by the same group - have highlighted the growing risk. According to Guzzetti, the complexity of modern, global supply chains makes it easier than ever for cyber threats to infiltrate through indirect channels.

"Most businesses don't have clear visibility into their extended supplier networks," she explained. "Fourth and fifth-party relationships are often invisible. That's where the blind spots lie, and attackers know it."

The stakes are rising not only because of the financial and reputational damage of breaches, but also due to intensifying regulatory pressure. New rules such as the EU's NIS2 directive and the UK's legislative push are forcing businesses to reassess their cyber readiness - and many are falling short.

"Boards are now personally liable when something goes wrong," said Guzzetti. "This is shifting responsibility away from just the IT department and into the boardroom. It's now an organisational issue, not a technical one."
One key issue, she added, is outdated contracts that don't reflect current legal obligations. "A contract signed three or five years ago may not contain clauses that enforce cyber standards now required by law. That creates a compliance gap that's hard to close after the fact."

Guzzetti urges businesses to take a risk-tiered approach to their suppliers, investing more in those with access to sensitive systems or data.

"You don't need deep threat intel on your office stationery provider, but you absolutely need it for your critical SaaS vendor," she said.

And cybersecurity due diligence, she stressed, must be ongoing. "A supplier can get ISO certified today and suffer a breach tomorrow. If you only assess them once at the start, you won't know how their posture evolves - or deteriorates."

Preparing for inevitable breaches is just as important as trying to prevent them, Guzzetti explained. Her team at CyXcel helps clients build incident response playbooks, ensure regulatory reporting is covered, and test business continuity plans regularly.

"Resilience means being ready to act when something goes wrong," she said. "You can never eliminate all risk, but you can reduce the impact through preparedness."

She described the scale and professionalism of today's cybercriminals as "terrifying but fascinating." One colleague, she noted, recently dealt with a ransomware gang that offered a tech support hotline for victims. "They were running like a full-scale service business," she said.

"They even told the client, 'Call this number, and we'll help you recover your data.'"

That level of sophistication makes it even more vital for businesses to have the right expertise on hand before an incident hits.
"You don't want to waste those first critical hours scrambling for external help," Guzzetti added.

"Having a consultancy like ours already onboard means you can move immediately - we handle the reporting, the legal risks, the supplier and customer communications."

Guzzetti also believes that viewing cybersecurity as a cost centre is outdated thinking. "Cyber should be seen as a strategic enabler," she said. "In procurement and supply chains, especially, it's one of the fastest-growing threat vectors.

But it also gives you leverage, helps meet compliance requirements, and reassures customers that you're a safe partner."

CyXcel's integrated model has gained recognition, with the firm recently named Cyber Startup of the Year at the 2025 Cybersecurity Awards.

It is one of only two UK law firms to hold NCSC Cyber Incident Response Approved Vendor status and recently acquired the coveted ISO 27001 accreditation

"Our clients don't need to coordinate separate lawyers, technical experts, incident response and supply chain consultants," said Guzzetti. "It's all under one roof. That's what sets us apart."

With increasingly aggressive attackers and stricter laws, she says British firms must stop underestimating the cyber risks embedded in their supply chains.

"You can't treat cyber security as a bolt-on anymore," she said. "It's a necessity, if you want to protect your business - and your reputation."

Related stories
Legal Aid Agency hit by major cyber breach affecting millions
Legal Aid Agency cyber-attack exposes data of applicants
UK accountancy firms cautious on fully embracing cloud IT shift
Report finds legacy tech & budgets hinder UK public sector AI
Financial sector sets new baseline guidance for Gen-AI risks
Top stories
Google AI Ultra subscription launches at USD $249.99 per month
Fintech sector faces mounting third-party security breach risks
SEO poisoning attack diverts wages using fake payroll websites
Proofpoint acquires Nuclei to boost AI workplace compliance tools
Vitality partners with FICO to offer personalised digital care