Navigating the Perilous Landscape of Digital Supply Chains: Comprehensive Risk Management and Resilience Strategies in an Interconnected World

Many thanks to our sponsor Esdebe who helped us prepare this research report.

Abstract

In the contemporary global economy, characterized by unprecedented interconnectedness and pervasive digitalization, supply chain risks have escalated from operational nuisances to existential threats. Disruptions, regardless of their origin, possess the potential for profound and cascading consequences across entire industrial ecosystems. This extensive research report undertakes a detailed examination of the multifaceted nature of supply chain risks, meticulously dissecting their inherent vulnerabilities, with particular emphasis on the escalating menace of cyber threats that now permeate every layer of the digital infrastructure. The study further explores a spectrum of comprehensive strategies vital for robust vendor risk management, delineating the imperative for stringent contractual cybersecurity requirements, presenting established and emerging frameworks for assessing and mitigating intricate supplier-related exposures, and critically analyzing approaches to cultivate enduring resilience within increasingly complex digital supply chains. Through an in-depth analysis of high-profile real-world incidents, such as the catastrophic 2024 cyberattack on Synnovis – a pivotal pathology service provider intricately integrated into multiple National Health Service (NHS) trusts in the United Kingdom – this investigation unequivocally underscores the critical imperative for organizations across all sectors to proactively identify, address, and neutralize supply chain vulnerabilities. The ultimate objective is to ensure not only unwavering operational continuity but also to rigorously safeguard stakeholder interests, patient safety, and national critical infrastructure against an ever-evolving threat landscape.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

1. Introduction: The Evolving Tapestry of Global Supply Chains and the Dawn of Digital Peril

In an era fundamentally shaped by accelerated globalization, rapid technological advancement, and pervasive digitalization, supply chains have undergone a profound metamorphosis. What were once relatively linear and localized transactional pathways have transformed into extraordinarily intricate, multi-tiered networks that transcend geographical boundaries, involve a multiplicity of stakeholders, and leverage advanced digital technologies for optimization. This intricate web, encompassing everything from raw material extraction and manufacturing to logistics, distribution, and consumption, is often underpinned by complex IT systems, cloud services, and outsourced expertise. While this evolution has undeniably unlocked unprecedented opportunities for enhanced efficiency, cost reduction through economies of scale, and accelerated innovation, it has concurrently introduced a new stratum of profound and systemic risks.

Disruptions originating within any single segment of this vast and interconnected supply chain possess the inherent capacity to cascade rapidly and unpredictably, generating widespread operational bottlenecks, precipitating significant financial losses, and inflicting irreparable damage to organizational reputation and public trust. The seminal 2024 cyberattack targeting Synnovis, a critical pathology service provider whose operations are deeply embedded within several NHS trusts across south-east London, stands as a stark and unequivocal testament to how profound vulnerabilities within third-party providers can precipitate widespread systemic disruption, potentially jeopardizing public health and safety. This incident, discussed in detail later in this report, forcefully highlights the critical and immediate need for organizations to develop a sophisticated and proactive understanding of supply chain risks, alongside implementing robust, adaptive, and continuously monitored management strategies.

This report aims to provide a comprehensive, academically rigorous exploration of supply chain risk management in the digital age. It will systematically dissect the various categories of risks, using the Synnovis attack as a salient case study to illustrate practical implications. Furthermore, it will detail actionable strategies for vendor risk management, outline essential contractual cybersecurity requirements, introduce leading frameworks for risk assessment and mitigation, and explore methodologies for building true resilience in an increasingly volatile operational environment. Ultimately, this research seeks to arm decision-makers with the knowledge and tools necessary to navigate the perilous yet essential landscape of modern digital supply chains.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2. Unpacking the Complexities of Supply Chain Risks: A Multi-Dimensional Analysis

Supply chain risks are broadly defined as any potential events or conditions that possess the capacity to adversely affect the seamless flow of goods, services, information, or finances within an interconnected supply network. These risks are rarely monolithic; instead, they represent a diverse array of threats that can originate from internal processes, external forces, or the intricate interplay between them. A systematic categorization is essential for effective identification, assessment, and mitigation. Traditionally, these risks have been classified into several key dimensions:

2.1. Operational Risks

Operational risks stem from failures or disruptions in the day-to-day activities, processes, or systems critical to the supply chain’s function. These are often considered foundational risks and can manifest in numerous forms:

• Production Failures: Equipment breakdowns, quality control issues, capacity limitations, or unexpected halts in manufacturing processes.
• Logistics Disruptions: Transportation delays, port congestions, shipping errors, or warehouse operational inefficiencies. Natural disasters (e.g., floods, earthquakes, pandemics) frequently exacerbate these, as seen during the COVID-19 pandemic which severely impacted global shipping and manufacturing (Choi and Chiu, 2020).
• Technology Outages: Failures in IT systems, enterprise resource planning (ERP) platforms, or communication networks that underpin supply chain visibility and control. These can range from simple software glitches to sophisticated cyberattacks.
• Human Error: Mistakes made by personnel, inadequate training, or insufficient staffing can lead to production errors, logistical missteps, or security vulnerabilities.
• Labour Disruptions: Strikes, workforce shortages, or industrial actions that impede operations.

2.2. Financial Risks

Financial risks pertain to potential adverse impacts on an organization’s financial health, solvency, or profitability within the context of its supply chain interactions:

• Currency Fluctuations: Volatility in exchange rates can significantly impact the cost of imported raw materials or the profitability of exported goods.
• Credit Risks: The risk of a supplier or customer defaulting on payments, leading to cash flow issues or bad debt. Supplier financial instability can lead to sudden cessation of services or product delivery.
• Commodity Price Volatility: Unpredictable swings in the prices of key raw materials can erode profit margins or make long-term planning challenging.
• Cash Flow Constraints: Inefficient inventory management or extended payment terms can tie up capital, limiting an organization’s ability to invest or respond to disruptions.

2.3. Strategic Risks

Strategic risks are linked to long-term decisions and external market or geopolitical dynamics that can fundamentally alter the competitive landscape or viability of a supply chain:

• Geopolitical Instability: Trade wars, political unrest, sanctions, or international conflicts can severely disrupt global supply routes and market access (Sheffi, 2015).
• Market Shifts: Changes in consumer preferences, emergence of new technologies, or aggressive competitor strategies that render existing supply chain configurations obsolete.
• Mergers and Acquisitions (M&A) Failures: Integration challenges post-M&A can introduce operational complexities, cultural clashes, or security vulnerabilities within the newly combined supply chain.
• Regulatory Changes: New laws or international agreements (e.g., environmental regulations, labour laws) can necessitate costly adjustments to supply chain practices.

2.4. Compliance Risks

Compliance risks arise from the failure to adhere to legal, regulatory, and ethical requirements governing supply chain operations:

• Regulatory Non-compliance: Breaches of industry-specific regulations (e.g., HIPAA for healthcare, GDPR for data privacy), import/export controls, or anti-bribery laws. Fines and legal repercussions can be severe.
• Ethical Sourcing Concerns: Failure to ensure fair labour practices, environmental sustainability, or human rights within the extended supply chain, leading to reputational and legal consequences.
• Data Governance: Non-adherence to data protection laws, cross-border data transfer regulations, or internal data security policies.

2.5. Reputational Risks

Reputational risks impact an organization’s public image, brand value, and stakeholder trust. These risks are often consequences of failures in other risk categories but can have distinct and long-lasting effects:

• Brand Damage: Negative publicity resulting from product recalls, ethical lapses by suppliers, environmental incidents, or data breaches can severely tarnish a brand’s image.
• Loss of Customer Trust: When a supply chain failure directly impacts customers (e.g., product unavailability, compromised data), it can lead to customer churn and reduced loyalty.
• Investor Relations: Supply chain disruptions or compliance failures can negatively affect investor confidence and stock performance.

2.6. Cybersecurity Risks: The Pervasive Threat in Digital Supply Chains

While often categorized under operational or strategic risks, cybersecurity risks have evolved into a distinct and increasingly dominant threat vector, particularly in highly digitized and interconnected supply chains. The Synnovis cyberattack exemplifies how a breach in a third-party provider’s systems can precipitate significant service disruptions, financial impact, and even patient harm, thereby crossing into operational, financial, and reputational domains. Key cybersecurity risks include:

• Data Breaches: Unauthorized access, exfiltration, or disclosure of sensitive information (e.g., patient data, intellectual property, financial records).
• Ransomware Attacks: Malicious software that encrypts data and systems, demanding a ransom for decryption. These can halt operations entirely.
• Denial-of-Service (DoS) / Distributed Denial-of-Service (DDoS) Attacks: Overwhelming a system or network with traffic, making it unavailable to legitimate users.
• Supply Chain Attacks: A sophisticated form of cyberattack where attackers compromise a trusted software vendor or service provider to distribute malware or vulnerabilities to the vendor’s customers (ENISA, 2021).
• Intellectual Property (IP) Theft: Espionage or illicit acquisition of trade secrets, product designs, or proprietary algorithms through compromised supplier systems.
• Third-Party and Nth-Party Risks: The concept that risks are not confined to direct vendors (first-party) but extend to their vendors (second-party), and so on (Nth-party). A vulnerability in a small, seemingly insignificant Nth-party vendor can be exploited to gain access to a primary target.

The increasing reliance on cloud services, Application Programming Interfaces (APIs), and interconnected IT infrastructure means that the attack surface of an organization now extends far beyond its direct perimeter to encompass the entire digital supply chain. Understanding this expanded attack surface is paramount for effective risk management.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3. The Synnovis Cyberattack: A Detailed Case Study of Digital Supply Chain Vulnerability

On Monday, June 3, 2024, Synnovis, a critical pathology service provider serving numerous NHS trusts in south-east London, became the victim of a sophisticated ransomware attack. This incident rapidly crippled its IT systems, leading to a ‘critical incident’ declaration by NHS England London and triggering widespread disruption across vital healthcare services. The attack serves as a chilling exemplar of the profound vulnerabilities inherent in interconnected systems and the far-reaching consequences of cyber threats within critical digital supply chains.

3.1. Background: Synnovis’s Role in the NHS Ecosystem

Synnovis is a joint venture between two NHS trusts – Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital NHS Foundation Trust – and Synlab, a leading private pathology services company (Synnovis, 2024). Its operations are central to diagnostic services for a population of over two million people, processing millions of blood tests, biopsies, and other diagnostic samples annually. Services include blood transfusions, complex blood tests, immunology, and specialized cancer diagnostics. The deep integration of Synnovis’s IT systems with those of its NHS partners meant that a compromise of Synnovis’s infrastructure would inevitably have immediate and severe repercussions for patient care across a significant portion of London’s healthcare network.

3.2. The Nature of the Attack: Ransomware and Data Exfiltration

The attack was identified as a ransomware incident perpetrated by a Russian-speaking criminal group known as Qilin. This group is notorious for its double-extortion tactics, which involve not only encrypting an organization’s data to demand a ransom for decryption keys but also exfiltrating sensitive data and threatening to publish it if the ransom is not paid (Waterstons, 2024). In the case of Synnovis, Qilin claimed to have stolen 400 GB of sensitive patient data, including names, dates of birth, NHS numbers, and pathology test results, which they subsequently published on their dark web leak site (Conosco, 2024). This act of data exfiltration compounds the operational disruption with severe privacy implications.

3.3. Immediate Operational Fallout: Service Disruptions and Patient Harm

The impact on healthcare services was immediate and catastrophic:

• Cancellations and Postponements: Over 1,000 inpatient procedures and 10,152 acute outpatient appointments across affected trusts were postponed or cancelled in the initial weeks following the attack. These included vital surgeries, diagnostic scans, and consultations that rely on timely pathology results.
• Blood Transfusion Interruptions: Blood transfusions, which are inherently time-sensitive and critical for emergency care and surgery, were severely impacted. Manual workarounds were implemented, but these significantly slowed down processes and introduced human error risks. Hospitals had to divert blood samples to other, unaffected pathology labs, creating logistical nightmares and delays.
• Cancer Treatment Delays: Specialized cancer treatments often depend on regular and precise diagnostic tests. Delays in obtaining these results meant some cancer treatments had to be suspended or modified, potentially affecting patient outcomes.
• Emergency Care Strain: Accident & Emergency (A&E) departments faced immense pressure as the ability to conduct rapid diagnostic tests was compromised. This led to longer waiting times, delays in diagnosis, and increased risk for acutely unwell patients.
• Manual Workarounds and Their Limitations: Staff were forced to revert to manual processes for ordering tests, logging results, and patient identification. While commendable, manual systems are inherently slower, less efficient, more prone to error, and unsustainable for large-scale operations, especially in a high-pressure environment like a hospital.

Most critically, the incident led to significant patient harm. Reports indicated cases of severe, moderate, and low harm, with at least one confirmed instance of severe harm leading to long-term health consequences for a patient due to delays in receiving critical diagnostic information (Howden Group, 2025). This directly illustrates the ‘patient safety warning’ that the incident represented for healthcare providers globally.

3.4. Data Breach Implications

The confirmed exfiltration and subsequent publication of sensitive patient data raise serious concerns:

• Patient Privacy Violations: The exposure of personal and health data constitutes a significant breach of patient privacy and a violation of data protection regulations such as GDPR.
• Identity Theft and Fraud Risk: Exposed data could be used for identity theft or targeted phishing attacks against vulnerable patients.
• Reputational Damage: The breach severely damaged public trust in Synnovis and, by extension, the NHS trusts involved, raising questions about data security protocols within critical healthcare infrastructure.
• Regulatory Fines: The Information Commissioner’s Office (ICO) in the UK is likely to launch an investigation, potentially leading to substantial fines for non-compliance with data protection legislation.

3.5. Financial and Systemic Impact

The financial cost of the Synnovis attack was substantial, estimated at £37.7 million by January 2025 (Howden Group, 2025). This figure likely encompasses:

• Incident Response Costs: Expenses related to forensic investigations, remediation efforts, system rebuilding, and cybersecurity consulting.
• Business Interruption Costs: Losses due to cancelled procedures, diverted services, and reduced operational efficiency.
• Reputational and Legal Costs: Potential fines, legal fees from patient claims, and long-term loss of trust.
• Investment in Enhanced Security: Future costs for upgrading cybersecurity infrastructure and processes to prevent recurrence.

Beyond the immediate financial and operational impacts, the Synnovis attack illuminated broader systemic vulnerabilities within the NHS’s reliance on third-party service providers. It triggered a national review of cybersecurity resilience across the healthcare sector, emphasizing the critical need for a holistic approach to managing risks introduced by external partners.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4. Unmasking Vulnerabilities in Interconnected Systems: The Extended Attack Surface

The Synnovis cyberattack provides a vivid illustration of how the increasingly complex and interconnected nature of modern supply chains inherently expands an organization’s attack surface, introducing a multitude of vulnerabilities that attackers are keen to exploit. Understanding these vulnerabilities is the foundational step towards developing effective defensive strategies.

4.1. The Pervasive Nature of Third-Party Dependencies

Modern organizations, driven by efficiency, specialization, and cost-effectiveness, increasingly rely on external vendors for critical services. These include:

• Software-as-a-Service (SaaS): Cloud-based applications (e.g., CRM, HR platforms, communication tools).
• Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS): Cloud computing resources and development environments.
• Managed Service Providers (MSPs): Outsourced IT support, network management, and cybersecurity services.
• Specialized Business Process Outsourcing (BPO): Services like pathology labs, payroll, and customer support.

Each of these dependencies introduces a potential weak point. The security posture of the primary organization becomes inextricably linked to that of its weakest vendor. An attacker may find it easier to breach a smaller, less secure third-party provider, like Synnovis, to gain access to a larger, more fortified primary target, such as the NHS trusts. This is the essence of a ‘supply chain attack’ (ENISA, 2021), where the integrity of an organization’s digital assets is compromised not directly, but indirectly through its trusted suppliers.

4.2. Inadequate Cybersecurity Posture of Third Parties

A significant vulnerability arises when third-party vendors, particularly those specializing in non-IT core functions, lack the robust cybersecurity measures commensurate with the sensitivity of the data they handle or the criticality of the services they provide. Common weaknesses include:

• Legacy Systems and Technical Debt: Many organizations, especially in established sectors like healthcare, operate older IT infrastructure that is difficult to patch, inherently less secure, and vulnerable to known exploits.
• Poor Patch Management: Failure to consistently apply security updates and patches leaves systems exposed to vulnerabilities that have already been identified and fixed by software vendors.
• Insufficient Investment in Security: Smaller or specialized vendors may prioritize their core business functions over substantial investments in cybersecurity personnel, tools, or training.
• Lack of Security Awareness and Training: Employees of third-party vendors may not be adequately trained to recognize phishing attempts, practice strong password hygiene (e.g., absence of multi-factor authentication, as potentially indicated in the Synnovis case), or follow secure operational procedures.
• Inadequate Access Controls: Over-provisioned access rights, weak authentication mechanisms, and lack of granular control over vendor access to critical systems.
• Insider Threats at Vendors: Malicious or negligent insiders within a third-party organization can either inadvertently or deliberately compromise data or systems.

4.3. Lack of Visibility and Control

Organizations frequently suffer from a critical lack of visibility into their entire vendor ecosystem. They may not know the full extent of their direct vendors, let alone their Nth-party suppliers. This ‘supply chain mapping’ challenge means:

• Limited Oversight: Inability to monitor the security posture of all relevant third parties in real-time.
• Enforcement Challenges: Difficulty in enforcing stringent security policies and controls on external entities, especially when contractual agreements are weak or non-existent.
• Shadow IT: Unauthorized use of third-party cloud services or software by internal departments, bypassing established IT security protocols, which creates unmonitored entry points for attackers.

4.4. Complex Integration Points and Expanded Attack Surface

Modern digital supply chains rely heavily on seamless data exchange and system interoperability. Application Programming Interfaces (APIs), shared databases, secure file transfer protocols, and direct network connections facilitate this integration. Each integration point, however, represents a potential vector for attack:

• API Vulnerabilities: Weakly secured APIs can be exploited to gain unauthorized access to data or systems.
• Data Sharing Protocols: Insecure data transfer mechanisms can expose sensitive information during transit.
• Network Segregation Issues: Insufficient network segmentation between a primary organization and its vendors can allow an attacker to move laterally from a compromised vendor’s network into the primary organization’s sensitive infrastructure.

4.5. Data Sensitivity and Regulatory Compliance

When interconnected systems handle highly sensitive information, such as patient health records (PHI), personally identifiable information (PII), or financial data, the consequences of a breach are significantly amplified. The Synnovis incident, involving medical data, immediately triggered concerns regarding HIPAA (in a broader international context for PHI) and GDPR compliance. A failure to adequately protect such data not only incurs reputational damage and patient harm but also invites severe regulatory penalties.

These vulnerabilities collectively paint a picture of an extended enterprise security perimeter, where the strength of the entire chain is determined by its weakest link. Addressing these systemic weaknesses requires a comprehensive, multi-layered approach to supply chain risk management that extends beyond an organization’s immediate boundaries.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5. Strategies for Robust Vendor Risk Management (VRM): Building a Fortified Ecosystem

Effective vendor risk management (VRM) is no longer a peripheral concern but a core strategic imperative for any organization operating within complex digital supply chains. It involves a systematic, ongoing process to identify, assess, mitigate, and monitor risks associated with third-party relationships throughout their entire lifecycle. A robust VRM program aims to ensure that external partners do not inadvertently introduce unacceptable levels of risk, particularly in cybersecurity, that could compromise the primary organization’s operations, data, or reputation.

5.1. Establishing a Holistic VRM Framework

Successful VRM begins with a clearly defined, organizational-wide framework that outlines policies, procedures, roles, and responsibilities. This framework should be integrated with an organization’s overall enterprise risk management (ERM) strategy and tailored to the specific industry and regulatory landscape. Key components include:

• Policy Definition: Clear policies articulating the organization’s stance on third-party risk, acceptable risk appetite, and security baseline requirements.
• Governance Structure: Establishing a dedicated team or cross-functional committee responsible for VRM oversight, decision-making, and policy enforcement.
• Risk Tiering Methodology: Classifying vendors based on their criticality to business operations, the volume and sensitivity of data they access, and their potential impact in case of compromise. This allows for differentiated and proportionate risk assessment efforts.

5.2. Vendor Onboarding and Due Diligence: Proactive Risk Identification

The most critical phase of VRM occurs before a contract is signed. Thorough due diligence is essential to identify and evaluate potential risks posed by prospective vendors:

• Pre-contractual Assessment: This involves a multi-faceted evaluation:
  • Security Questionnaires: Standardized questionnaires (e.g., Shared Assessments Standardized Information Gathering (SIG) questionnaire, Cloud Security Alliance’s Consensus Assessments Initiative Questionnaire (CAIQ)) provide structured inquiries into a vendor’s security controls, policies, and procedures.
  • Audits and Certifications: Requesting evidence of third-party security certifications (e.g., ISO 27001, SOC 2 Type II reports) or conducting on-site audits for high-risk vendors.
  • Security Ratings Services: Utilizing external security rating platforms (e.g., BitSight, SecurityScorecard) that continuously monitor and rate a vendor’s external security posture based on publicly available data, offering an objective, real-time view.
  • Financial Health Checks: Assessing a vendor’s financial stability to ensure they have the resources to maintain operations and invest in security.
  • Legal and Compliance Reviews: Ensuring the vendor complies with relevant industry regulations, data protection laws (e.g., GDPR, CCPA), and ethical sourcing standards.
  • Reputation and Background Checks: Investigating a vendor’s track record, any previous security incidents, and market reputation.
• Scope of Engagement Definition: Clearly defining what data, systems, or network segments the vendor will access, and ensuring access is strictly limited to what is necessary for their service provision (principle of least privilege).

5.3. Contractual Agreements and Service Level Agreements (SLAs): Formalizing Security Requirements

Robust contractual agreements are the backbone of effective VRM. They legally bind vendors to specific security standards and outline responsibilities:

• Cybersecurity Clauses: Incorporating explicit clauses on data protection, security controls, incident response, audit rights, and liability. This is discussed in detail in Section 6.
• Service Level Agreements (SLAs): Defining measurable performance targets for security-related processes, such as incident response times, system uptime, and patch deployment schedules.
• Right to Audit: Including clauses that grant the primary organization the right to audit the vendor’s security controls and compliance at reasonable intervals.

5.4. Continuous Monitoring and Performance Management: Vigilance Throughout the Lifecycle

Vendor risk management is not a one-time event but an ongoing process. Continuous monitoring is crucial for detecting changes in a vendor’s risk posture:

• Regular Security Assessments: Periodic re-evaluation of vendor security controls, often annually or biannually, particularly for critical vendors.
• Vulnerability Scanning and Penetration Testing: For high-risk vendors, organizations may require (and contractually mandate) vulnerability scans or penetration tests against vendor systems or applications used by the primary organization.
• Real-time Threat Intelligence Sharing: Establishing channels for vendors to share relevant threat intelligence and for the primary organization to communicate emerging threats.
• Performance Reviews: Regularly reviewing vendor performance against security-related SLAs and KPIs.
• Supply Chain Mapping and Nth-Party Monitoring: Proactively identifying sub-processors and Nth-party vendors used by direct suppliers to understand the full extent of the extended attack surface. Tools and services are emerging to help automate this process.

5.5. Offboarding Procedures: Securely Terminating Relationships

When a vendor relationship concludes, a systematic offboarding process is essential to prevent lingering vulnerabilities:

• Data Deletion and Return: Ensuring all organizational data held by the vendor is securely deleted or returned, with verifiable proof.
• Access Revocation: Immediately revoking all physical and digital access privileges granted to the vendor and its personnel.
• Audit Trails: Maintaining comprehensive audit trails of vendor activities during the entire lifecycle for compliance and forensic purposes.

By implementing these multifaceted strategies, organizations can move beyond reactive incident response to proactive risk prevention, fostering a more secure and resilient ecosystem of external partnerships.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6. Contractual Cybersecurity Requirements for Third-Party Partners: Legal Enforceability of Security

Robust vendor risk management is significantly strengthened by legally binding contractual obligations that explicitly define cybersecurity expectations and responsibilities. These contracts serve as a critical tool for ensuring alignment in security practices, establishing accountability, and providing recourse in the event of a security incident. Merely assuming a vendor adheres to best practices is insufficient; explicit cybersecurity clauses are non-negotiable for any organization dealing with sensitive data or critical services.

6.1. Detailed Security Standards and Framework Adherence

Contracts must mandate adherence to recognized cybersecurity frameworks, standards, and best practices. These typically include:

• Industry-Standard Frameworks: Requiring compliance with frameworks such as ISO/IEC 27001 (Information Security Management System), NIST Cybersecurity Framework (CSF), or sector-specific standards like HIPAA (for healthcare data in the US, broadly applicable principles for PHI), PCI DSS (for payment card industry data), or CMMC (for defense contractors).
• Specific Security Controls: Mandating the implementation of foundational security controls, including:
  • Encryption: Requirements for strong encryption of data both in transit (e.g., TLS 1.2+ for network communications) and at rest (e.g., AES-256 for stored data).
  • Access Controls: Strict identity and access management (IAM) policies, including multi-factor authentication (MFA) for all administrative and remote access, role-based access control (RBAC), and regular access reviews.
  • Patch Management: A commitment to timely application of security patches and updates to all systems and software to address known vulnerabilities.
  • Secure Configurations: Adherence to secure configuration baselines for all servers, network devices, and applications, minimizing default settings and unnecessary services.
  • Network Security: Implementation of firewalls, intrusion detection/prevention systems (IDS/IPS), and network segmentation.
  • Data Backups and Recovery: Regular, tested backup procedures and a clear disaster recovery plan.
• Security Audits and Certifications: Requiring vendors to maintain relevant security certifications (e.g., SOC 2 Type II) and provide audit reports, or granting the primary organization the right to conduct its own audits.

6.2. Incident Response and Notification Protocols

Clear, actionable procedures for reporting and managing security incidents are paramount. Ambiguity in this area can lead to delays that exacerbate the impact of a breach, as potentially seen in the early stages of the Synnovis incident.

• Timely Notification: Defining specific timelines (e.g., ‘within 24 hours of discovery’) for reporting any suspected or confirmed security incidents, data breaches, or unauthorized access.
• Information Sharing: Specifying the type of information that must be shared (e.g., nature of the incident, affected data, remediation steps taken, forensic findings).
• Roles and Responsibilities: Clearly delineating who is responsible for incident investigation, containment, eradication, recovery, and post-incident analysis.
• Cooperation and Assistance: Requiring the vendor to cooperate fully with the primary organization’s incident response team, including providing access to logs, systems, and personnel for forensic investigation.

6.3. Data Protection and Privacy Clauses

For vendors handling sensitive data, comprehensive data protection clauses are essential to ensure compliance with privacy regulations and protect organizational and customer information:

• Data Ownership and Processing: Clearly stating that the primary organization retains ownership of its data and defining the vendor’s role as a data processor, subject to specific instructions.
• Confidentiality, Integrity, and Availability (CIA): Explicitly requiring the vendor to implement measures to ensure the confidentiality, integrity, and availability of all data processed or stored on behalf of the primary organization.
• Data Location and Transfer: Restricting where data can be stored (e.g., within specific geographical regions) and prohibiting unauthorized cross-border data transfers.
• Data Retention and Deletion: Stipulating data retention periods and mandating secure deletion of data upon contract termination or when no longer required.
• Privacy by Design: Encouraging or requiring vendors to adopt privacy-by-design principles in their services.
• Compliance with Data Protection Laws: Explicitly requiring compliance with applicable data protection laws such as GDPR, CCPA, or other local regulations.

6.4. Audit Rights and Performance Metrics

Contracts should provide the primary organization with mechanisms to verify ongoing compliance and security performance:

• Right to Audit: The ability to conduct security audits, penetration tests, or vulnerability assessments on the vendor’s systems and processes, with reasonable notice.
• Reporting Requirements: Regular reporting on key security metrics, incident summaries, and compliance status.

6.5. Liability, Indemnification, and Insurance

Addressing financial and legal implications in the event of a breach is critical:

• Indemnification Clauses: Requiring the vendor to indemnify the primary organization against losses, damages, or legal costs arising from the vendor’s security failures or breaches.
• Liability Limitations: Carefully negotiating liability caps to ensure they are appropriate for the potential impact of a breach.
• Insurance Requirements: Mandating that vendors maintain adequate cybersecurity insurance coverage to cover potential liabilities.

6.6. Exit Strategy and Transition Planning

Finally, contracts should include clauses that facilitate a secure and orderly transition if the relationship is terminated:

• Transition Assistance: Requiring the vendor to provide assistance in transitioning services and data to a new provider or back to the primary organization.
• Secure Data Handover/Deletion: Protocols for securely transferring or permanently deleting all data held by the vendor, along with proof of deletion.

By meticulously drafting and enforcing these contractual cybersecurity requirements, organizations can significantly enhance their control over third-party risks, legally obligating vendors to uphold necessary security standards, and establishing clear pathways for incident response and accountability.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

7. Frameworks for Assessing and Mitigating Supplier Risks: A Methodical Approach

Adopting structured frameworks is indispensable for organizations seeking to systematically identify, assess, prioritize, and mitigate the myriad risks introduced by their suppliers. These frameworks provide a methodical approach, moving beyond ad-hoc responses to establish a robust and repeatable process for supply chain risk management (SCRM). They help integrate risk considerations into procurement decisions, operational planning, and continuous monitoring.

7.1. General Principles of Supply Chain Risk Management (SCRM)

SCRM is a holistic and systematic approach that encompasses several core phases (Jüttner and Maklan, 2011):

• Risk Identification: Proactively identifying potential events or conditions that could disrupt the supply chain. This involves mapping the entire supply chain, including Nth-party dependencies, and brainstorming potential failure points (e.g., single points of failure, critical technology interfaces).
• Risk Assessment: Evaluating the likelihood (probability) of identified risks occurring and the potential impact (severity) if they do. This often involves qualitative (e.g., high, medium, low) or quantitative (e.g., financial impact models) methods. A ‘risk register’ is often maintained to document identified risks, their assessment, and mitigation strategies.
• Risk Treatment (Mitigation): Developing and implementing strategies to reduce the likelihood or impact of risks. This includes avoidance, reduction, transfer (e.g., insurance), or acceptance of risks.
• Risk Monitoring and Review: Continuously tracking identified risks, evaluating the effectiveness of mitigation strategies, and adapting to new or evolving threats. SCRM is an iterative process.

These principles form the foundation upon which more specific frameworks are built, particularly concerning cybersecurity.

7.2. NIST Cybersecurity Framework (CSF) for Supply Chain Risk Management

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a widely adopted voluntary framework designed to improve an organization’s ability to prevent, detect, and respond to cyberattacks. It is highly adaptable and can be effectively applied to supply chain risk management (NIST, 2018):

• Core Functions: The CSF is structured around five core functions: Identify, Protect, Detect, Respond, and Recover. Organizations can use these functions to evaluate their own cybersecurity posture and, critically, to assess and communicate expectations for their suppliers.
  • Identify: Understanding the assets, systems, data, and capabilities that need protection, and identifying associated risks. For suppliers, this means understanding what critical services they provide and what sensitive data they access.
  • Protect: Implementing safeguards to ensure the delivery of critical services. This involves access controls, data security measures, maintenance, and protective technologies for suppliers.
  • Detect: Developing and implementing appropriate activities to identify the occurrence of a cybersecurity event. Suppliers must have robust detection capabilities and alert mechanisms.
  • Respond: Developing and implementing appropriate activities to take action regarding a detected cybersecurity incident. Clear incident response plans and communication protocols are vital.
  • Recover: Developing and implementing appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. This includes business continuity and disaster recovery planning by suppliers.
• Application to SCRM: Organizations can use the CSF to develop a profile of their desired supply chain cybersecurity posture, compare it against suppliers’ current posture, and identify gaps for improvement. It facilitates consistent communication of security requirements up and down the supply chain.

7.3. ISO/IEC 27001 and ISO/IEC 27002: Information Security Management Systems

ISO/IEC 27001 is an international standard that provides a framework for an Information Security Management System (ISMS), enabling organizations to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties. ISO/IEC 27002 provides a code of practice for information security controls (ISO, 2022):

• ISMS Certification: For suppliers, ISO 27001 certification demonstrates a systematic approach to managing information security risks, including those related to third parties. It provides assurance that the supplier has implemented a comprehensive set of controls.
• Control Implementation: ISO 27002 lists a broad range of information security controls (e.g., access control, cryptography, physical security, incident management) that can be mandated in contracts with suppliers. Organizations can require suppliers to implement specific controls relevant to the services provided.

7.4. Proactive Software Supply Chain Risk Management Framework (P-SSCRM)

Given the pervasive use of software and open-source components, frameworks specifically addressing software supply chain risks are increasingly important. The Proactive Software Supply Chain Risk Management Framework (P-SSCRM) is one such example (Acar et al., 2024):

• Focus on Software Components: P-SSCRM focuses on risks introduced through software dependencies, including proprietary software, open-source libraries, and APIs. It emphasizes understanding the provenance and integrity of all software components used by a supplier.
• Software Bills of Materials (SBOMs): The framework promotes the use of SBOMs, which provide a complete, nested inventory of all software components, their versions, and licensing information within a given application. This enables organizations to identify known vulnerabilities (CVEs) present in their suppliers’ software.
• Secure Development Practices: P-SSCRM also covers requiring suppliers to adhere to secure software development lifecycle (SSDLC) practices, including secure coding, static/dynamic code analysis, and vulnerability testing.

7.5. Sector-Specific Frameworks

Many industries have developed their own frameworks and compliance standards due to unique regulatory landscapes and risk profiles:

• Healthcare (HIPAA, NHS Data Security and Protection Toolkit): For healthcare providers and their vendors, compliance with HIPAA (Health Insurance Portability and Accountability Act) in the US or the NHS Data Security and Protection Toolkit (DSPT) in the UK is mandatory for protecting Protected Health Information (PHI).
• Payment Card Industry (PCI DSS): Any organization (and its suppliers) involved in processing, storing, or transmitting credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS).
• Defense (CMMC): The Cybersecurity Maturity Model Certification (CMMC) is a US Department of Defense (DoD) certification program designed to enhance the cybersecurity posture of the defense industrial base (DIB) supply chain.

By leveraging a combination of these frameworks, tailored to their specific risk profile and supplier ecosystem, organizations can establish a systematic and defensible approach to assessing and mitigating supplier risks, thereby strengthening the overall security and resilience of their supply chain.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

8. Building Resilience in Complex Digital Supply Chains: Beyond Mitigation

While robust risk identification and mitigation are crucial, the inherently unpredictable nature of global events and sophisticated cyber threats necessitates a focus on building genuine resilience within digital supply chains. Resilience goes beyond merely trying to prevent disruptions; it encompasses an organization’s capacity to anticipate, absorb, adapt to, and rapidly recover from adverse events while maintaining essential functions (Pettit et al., 2019). For digital supply chains, this means preparing for inevitable failures and designing systems that can withstand shocks and quickly return to normal, or even enhanced, operations.

8.1. Diversification of Suppliers: Mitigating Single Points of Failure

Over-reliance on a single supplier, especially for critical services or components, creates a single point of failure that can have catastrophic consequences if that supplier is compromised or otherwise incapacitated. Diversification strategies aim to spread risk:

• Strategic Sourcing and Multi-Sourcing: Engaging multiple qualified suppliers for critical components, services, or geographical regions. This may involve having primary and secondary suppliers, or splitting volumes across several partners.
• Geographic Diversification: Sourcing from suppliers located in different regions or countries to mitigate risks associated with localized natural disasters, geopolitical instability, or regional cyber campaigns.
• Benefits: Reduces dependency risk, increases leverage in negotiations, provides alternative options during disruptions, and can foster competition among suppliers, potentially leading to better service or pricing.
• Challenges: Can increase complexity in management, potentially higher costs due to smaller order volumes per supplier, and still requires robust VRM for each diversified partner.

8.2. Redundancy and Business Continuity Planning (BCP)

Redundancy involves duplicating critical systems, processes, or data to ensure that operations can continue even if one component fails. This is intrinsically linked to robust Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP):

• Backup Systems and Data Replication: Implementing real-time or near real-time data replication to geographically dispersed data centers or cloud regions. This ensures that if a primary system (or a primary vendor’s system) is compromised, a recent copy of data is available elsewhere.
• Alternate Data Centers and Cloud Regions: Having failover mechanisms to switch operations to secondary infrastructure in case of a primary site outage (e.g., active-passive or active-active redundancy).
• Cross-Training of Staff: Training internal staff to perform tasks traditionally handled by a compromised third-party, or ensuring multiple internal teams can handle critical processes.
• Contingency Plans and Workarounds: Developing and regularly testing manual workarounds or alternative processes for critical functions in scenarios where digital systems are unavailable (as seen in the Synnovis aftermath, though ideally, these should be pre-planned and tested, not improvised under duress).
• Regular BCP/DRP Testing with Vendors: Critically, involving key suppliers in joint BCP and DRP exercises to ensure seamless coordination and understanding of roles during an actual crisis.

8.3. Agility and Adaptability: Dynamic Response Capabilities

An agile supply chain is one that can quickly reconfigure its processes, resources, and relationships in response to unforeseen disruptions or evolving threats. This requires flexibility in operations and strategic foresight:

• Dynamic Sourcing Capabilities: The ability to quickly identify and onboard alternative suppliers or shift production between different facilities.
• Flexible Contracts: Negotiating contracts with suppliers that allow for adaptability in volume, delivery schedules, or even the ability to quickly pivot to alternative services.
• Scenario Planning and War-Gaming: Conducting regular simulations of various disruption scenarios (e.g., ransomware attack on a key supplier, natural disaster, geopolitical event) to test response plans and identify weaknesses.
• Investment in Digital Twins or Predictive Analytics: Utilizing advanced technologies to create virtual models of the supply chain, allowing for real-time monitoring, predictive risk identification, and simulation of various response strategies.

8.4. Enhanced Visibility and Real-time Monitoring

True resilience is impossible without comprehensive visibility across the entire supply chain. What cannot be seen, cannot be managed.

• End-to-End Supply Chain Mapping: Developing a detailed understanding of all direct and Nth-party suppliers, their interdependencies, and the critical processes they support.
• Real-time Risk Dashboards: Implementing systems that consolidate data from various sources (e.g., security ratings, threat intelligence feeds, operational performance metrics) to provide a real-time view of supply chain risks.
• AI/ML for Anomaly Detection: Leveraging artificial intelligence and machine learning to analyze vast amounts of data for unusual patterns or anomalies that could indicate emerging threats or disruptions.

8.5. Collaboration and Information Sharing

No single organization can tackle the complexities of supply chain risks in isolation. Collaboration is key:

• Industry-Specific Threat Intelligence Sharing Groups: Participating in communities (e.g., ISACs – Information Sharing and Analysis Centers) where organizations can share anonymized threat intelligence, best practices, and lessons learned from incidents.
• Joint Exercises with Critical Suppliers: Conducting shared tabletop exercises or full-scale simulations with key vendors to improve coordination and communication during a crisis.
• Fostering a Culture of Trust and Transparency: Encouraging suppliers to be transparent about their security postures and any incidents they experience, without fear of immediate punitive action, to facilitate collaborative remediation.

By integrating these strategies, organizations can move beyond merely reacting to supply chain disruptions to proactively building a robust and adaptable ecosystem that can withstand and recover from the inevitable challenges of the digital age, much like a living organism adapts to its environment.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

9. Implementing Zero Trust Architecture (ZTA) in Supply Chains: A Paradigm Shift in Security

In an environment where supply chain attacks are increasing in sophistication and frequency, traditional perimeter-based security models are proving inadequate. These models inherently trust users and devices once they are inside the network, making them vulnerable to lateral movement by attackers who have breached a trusted third-party. Zero Trust Architecture (ZTA) represents a paradigm shift, moving from implicit trust to explicit, continuous verification. Its application to supply chains offers a profound enhancement to security and resilience by operating on the fundamental principle of ‘never trust, always verify’ (NIST, 2020).

9.1. Core Principles of Zero Trust Architecture

ZTA is not a single technology but a strategic approach to cybersecurity built on several foundational principles:

• Never Trust, Always Verify: All users, devices, applications, and data flows, whether internal or external, must be authenticated, authorized, and continuously validated before being granted access to any resource.
• Identity-Centric Security: Access decisions are primarily based on the identity of the user and the device, rather than their network location. Strong multi-factor authentication (MFA) is mandatory for all access requests.
• Least Privilege Access: Users and devices are granted the absolute minimum level of access necessary to perform their required tasks, and only for the shortest possible duration (Just-In-Time (JIT) access).
• Micro-segmentation: The network is divided into small, isolated segments. This limits the blast radius of a breach by preventing unauthorized lateral movement of attackers within the network, even if an initial foothold is gained.
• Continuous Monitoring and Analytics: All access requests, user activities, and data flows are continuously monitored, logged, and analyzed for anomalies or suspicious behaviour using User Behavior Analytics (UBA) and Security Information and Event Management (SIEM) systems.
• Data-Centric Security: Protection is focused directly on the data itself, regardless of where it resides. This involves classification, encryption (both at rest and in transit), and Data Loss Prevention (DLP) technologies.

9.2. Application of ZTA to Supply Chains

Applying ZTA principles across the entire digital supply chain significantly enhances security posture against third-party risks:

• Securing Vendor Access to Internal Systems: Instead of granting a third-party broad network access, ZTA ensures that each vendor user and device is explicitly authenticated and authorized for every connection to specific applications or data sets. This means:
  • Strong Authentication for Vendors: All vendor personnel accessing an organization’s systems must use MFA, even if they are connecting from a ‘trusted’ partner network.
  • Granular Access Control: Access is granted on a per-application or per-data-set basis, rather than blanket network access. For instance, a pathology lab like Synnovis would only be granted access to specific patient diagnostic data and not to broader hospital IT systems.
  • Context-Aware Access Policies: Access decisions are dynamic, considering factors such as user identity, device health (e.g., patched, uncompromised), location, and time of access.
• Protecting Data Shared with Third Parties: ZTA reinforces data-centric security, ensuring that even if a vendor’s system is compromised, the shared data remains protected:
  • End-to-End Encryption: Data shared with third parties should be encrypted not just in transit but also at rest on the vendor’s systems, where feasible and practical.
  • Data Loss Prevention (DLP): Implementing DLP solutions to monitor and control sensitive data flows to and from third parties, preventing unauthorized exfiltration.
  • Tokenization/Masking: Where possible, sensitive data can be tokenized or masked before being shared with vendors, limiting their exposure to actual PII or PHI.
• Securing Cloud and API Integrations: As many supply chain interactions occur in cloud environments or via APIs, ZTA principles are crucial:
  • API Security: Applying ZTA to API gateways, ensuring that all API calls from third parties are authenticated, authorized, and rate-limited.
  • Cloud Workload Segmentation: Isolating vendor-related workloads and data within micro-segmented cloud environments to limit the impact of a breach.
• Enhanced Posture Against Insider Threats (from Vendors): By continuously verifying every access request, ZTA helps detect and mitigate malicious or negligent actions by a vendor’s own employees who might misuse their legitimate access.
• Improved Supply Chain Visibility: The continuous monitoring and logging inherent in ZTA provide a rich source of telemetry data, offering unprecedented visibility into how third parties interact with an organization’s resources, which can be invaluable for forensic analysis post-incident.

9.3. Challenges of ZTA Implementation in Supply Chains

While highly effective, implementing ZTA across a complex supply chain is not without its challenges:

• Complexity and Cost: ZTA requires significant investment in new technologies, re-architecting networks, and retraining personnel. Integrating it across diverse vendor environments can be complex.
• Integration with Legacy Systems: Many organizations and their vendors still rely on legacy systems that may not be easily compatible with ZTA principles.
• Cultural Shift: It requires a fundamental change in mindset, both internally and among vendors, from a ‘trust but verify’ approach to a ‘never trust, always verify’ stance.
• Vendor Adoption and Enforcement: Mandating ZTA principles for all suppliers can be difficult, especially for smaller vendors who may lack the resources or technical capabilities.

Despite these challenges, the proactive and continuous verification model of ZTA offers a powerful defense against the escalating threat of supply chain cyberattacks. By systematically eliminating implicit trust and enforcing strict, granular access controls across all interactions with third-party partners, organizations can significantly bolster their security posture and build a more resilient digital supply chain for the future, thereby preventing incidents akin to the Synnovis attack from spiraling into widespread systemic failures.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

10. Conclusion: Forging a Path Towards Resilient Digital Supply Chains in an Age of Persistent Threats

The 2024 Synnovis cyberattack, a critical incident that reverberated through the UK’s National Health Service, stands as a stark and unambiguous global reminder of the profound vulnerabilities inherent in modern, interconnected digital supply chains. This incident transcended mere operational disruption, escalating into direct patient harm, significant financial outlay, and a palpable erosion of public trust. It underscores an undeniable truth: an organization’s security posture is inextricably linked to the weakest link in its extended network of third-party partners. In an era where globalization and digitalization have woven an intricate tapestry of dependencies, the imperative for comprehensive, proactive, and adaptive supply chain risk management has never been more acute.

This research has meticulously dissected the multi-dimensional nature of supply chain risks, ranging from traditional operational and financial hazards to the burgeoning and pervasive threat of cybersecurity incidents. The Synnovis case study served as a potent illustration, demonstrating how inadequate cybersecurity within a critical third-party vendor can precipitate systemic failure across essential services. The report has highlighted key vulnerabilities, including over-reliance on third-party dependencies, inconsistent security postures among vendors, a critical lack of end-to-end visibility, and the expanded attack surface presented by complex digital integration points.

To counter these escalating threats, organizations must embrace a multi-faceted strategic approach. Robust vendor risk management, commencing with rigorous pre-contractual due diligence and extending through continuous monitoring and secure offboarding, forms the foundational layer of defense. This must be complemented by the unambiguous articulation and legal enforcement of stringent contractual cybersecurity requirements, ensuring that third-party partners are contractually bound to uphold specific security standards, incident response protocols, and data protection measures. Furthermore, the adoption of structured frameworks such as the NIST Cybersecurity Framework, ISO/IEC 27001, and specialized software supply chain risk frameworks provides the methodical rigor necessary to systematically identify, assess, and mitigate supplier-related exposures.

Beyond mere mitigation, the report emphasizes the critical importance of building resilience. Strategies like strategic supplier diversification, implementing robust redundancy and comprehensive business continuity planning, cultivating organizational agility, and enhancing real-time supply chain visibility are essential for an organization’s capacity to anticipate, absorb, adapt to, and rapidly recover from inevitable disruptions. Finally, the implementation of Zero Trust Architecture (ZTA) principles emerges as a transformative paradigm for securing digital supply chains. By mandating continuous verification for every access request, enforcing least privilege, and applying micro-segmentation, ZTA eliminates implicit trust and offers a powerful defense against the lateral movement of attackers, even if an initial compromise occurs within a trusted third party.

In conclusion, the journey towards a secure and resilient digital supply chain is an ongoing, dynamic process that demands continuous vigilance, strategic investment, and collaborative engagement. It requires a cultural shift that permeates every level of the organization and extends to every external partner. By proactively addressing supply chain vulnerabilities, enforcing stringent security requirements, leveraging established frameworks, cultivating intrinsic resilience, and adopting forward-looking architectural principles like Zero Trust, organizations can not only ensure operational continuity but also rigorously safeguard their assets, reputation, and, critically, the interests and safety of all stakeholders in an increasingly interconnected and perilous digital world. The lessons from Synnovis are clear: complacency is no longer an option; proactive security is an existential imperative.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

References

• Acar, C., Çelikbilek, B., & Aktaş, A. (2024). Proactive Software Supply Chain Risk Management Framework (P-SSCRM) Version 1. arXiv preprint arXiv:2404.12300.
• Choi, T. M., & Chiu, C. H. (2020). Supply chain management for pandemics. Elsevier.
• Conosco. (2024). NHS Cyber Attacks June 2024. Retrieved from conosco.com
• ENISA (European Union Agency for Cybersecurity). (2021). Threat Landscape for Supply Chain Attacks. Retrieved from www.enisa.europa.eu
• Howden Group. (2025). The Synnovis cyber-attack: A critical warning for healthcare providers over patient safety. Retrieved from howdengroup.com
• ISO/IEC. (2022). ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Retrieved from www.iso.org
• Jüttner, U., & Maklan, S. (2011). Supply chain risk management: Developing an integrated framework. International Journal of Logistics Management, 22(1), 5-30.
• NIST (National Institute of Standards and Technology). (2018). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from www.nist.gov
• NIST (National Institute of Standards and Technology). (2020). NIST Special Publication 800-207: Zero Trust Architecture. Retrieved from nvlpubs.nist.gov
• Pettit, T. J., Fiksel, J., & Croxton, D. K. (2019). Supply chain resilience: Definition, factors, and future research. Journal of Business Logistics, 40(1), 1-17.
• Sheffi, Y. (2015). The Power of Resilience: How the Best Companies Manage the Unexpected. MIT Press.
• Synnovis. (2024). Update on Cyber Incident: 01 July 2024. Retrieved from synnovis.co.uk
• Waterstons. (2024). Cyber Report Spotlight: London Hospitals declare ‘critical incident’ following cyber attack. Retrieved from waterstons.com