null

A cyber vulnerability is a weakness in an information system security procedure that can be exploited by a cybercriminal to gain access, steal data or disrupt operations. Identifying and managing them reduces cyber risks and limits the impact on the business in the event of a breach.

The digitization and interconnected nature of supply chains have increased the risk and severity of cyberattacks. Today, threat actors are targeting third-party partners or suppliers by exploiting cyber vulnerabilities in their systems to gain access to companies in the value chain.

"The ability to identify common vulnerabilities within widely used software can help build a proactive defense against supply chain attacks, while also reducing their systemic potential," says Johnty Mongan, global head of Cyber Risk Management at Gallagher.

According to Pinsent Masons, there was a significant uptick in the number of third-party/supply chain-related incidents they responded to — rising from 6% in 2024 to nearly 20% of all cases in 2025. The same year, the average cost of a data breach to organizations was $4.44 million.1

Cyber vulnerabilities in complex supply chains

Despite the growing threat, many companies are losing sight of their digital supply chains. While 45% of large organizations review cyber risks posed by suppliers, it has been relatively rare across the board. According to the Cyber Security Breaches Survey 2025, just over one in 10 businesses said they reviewed the risks posed by their immediate suppliers.2

If there's an issue within a particular piece of software, the same vulnerability may be present across thousands — or even millions — of machines, particularly when the software is not updated.

"Information on where to find common cyber vulnerabilities, so they can be exploited, is readily available to malicious actors operating on the dark web," adds Johnty Mongan. Cybercriminals are creating forums where they discuss tactics and share common vulnerabilities they have discovered.

Also, many firms now outsource their IT management, which has resulted in a loss of in-house expertise. When an attack occurs, businesses are often dependent on external companies for assistance. When a supply chain attack takes out multiple organizations, third-party breach-response firms may themselves be overstretched and unable to respond as quickly.

Identifying common cyber vulnerabilities

There are a few measures organizations can implement to build IT resilience. The first is to build good cyber hygiene, so that firms can avoid becoming the low-hanging fruit. Essential cyber-hygiene practices include identifying and regularly updating software, implementing strong passwords and conducting regular system scans to proactively address potential weaknesses.

Five steps to maintain effective cyber hygiene

  1. Train staff regularly: Conduct training sessions and phishing simulations to enhance employee awareness and preparedness against cyber threats.
  2. System vulnerability scans: Schedule vulnerability scans to identify and address outdated or vulnerable software, preventing potential security breaches.
  3. Implement multi-factor authentication: Use strong/unique passwords or a password manager and keep admin access to the bare minimum.
  4. Develop a well-defined incident response plan: Create an actionable response plan for cyberattacks, clearly define roles and responsibilities to ensure effective resolution during incidents.
  5. Regular review and update: Review and update risk-management strategies to adapt to evolving threats, engaging with experts to refine and enhance practices.

What are the benefits of CVE?

  • Provides standardized ID for each known vulnerability
  • Enables smarter detection methods
  • Mitigates cyber risks and reduces the attack radius
  • Improves threat detection
  • Allows information to be shared easily
  • Improves budget management

A similar discipline can be extended to third parties. Maintaining continuous due diligence with regular checks rather than relying on a oneā€‘time vetting can also help identify cyber vulnerabilities.

In 2026, organizations are more proactively scrutinizing their supply chain. One notable example is a global information technology company that recently reduced its supplier base to fewer than 10 after issuing an in-depth risk questionnaire with almost 500 questions to understand exactly how partners control cyber risk.

Responses were used to streamline the supply chain to just those securing data to the highest standard.

In addition, cyber experts can spot vulnerabilities within widely used software and use them to anticipate big attacks through common vulnerabilities and exposures (CVEs). A CVE is a standardized directory of known weaknesses or flaws in software, hardware, networks or systems that attackers can exploit.

Cyber Defense Center: An early warning system

The Gallagher Cyber Defense Center works with clients to aggregate CVE codes as a proactive approach to assess risk and recommend mitigation strategies. We typically find that six in ten clients face common cyber vulnerabilities as a result of purchasing or licensing the same technology.

This creates a situation in which attackers are more likely to succeed when targeting CVEs in popular off-the-shelf solutions.

We use our system to monitor vulnerabilities, conduct client-specific risk assessments and communicate identified vulnerabilities to clients. The system also emphasizes the importance of industry-wide vulnerability patterns and the need for continuous monitoring and improvement. All this helps our clients mitigate cyber risks by providing guidance on remediation strategies.

Building a robust defense

The growing complexity and interconnectivity of digital supply chains offer cybercriminals an ever-expanding attack surface. For hackers, it's easier to exploit a supplier and gain multiple opportunities to attack that vendor's downstream customers.

Gallagher's Cyber Defense Center CVE monitoring system enables us to identify trends across a large client base, helping us spot cyber vulnerabilities. Just as a weather forecast can help track a hurricane's path so people can move out of harm's way, we can build a picture of which CVEs are ripe for exploitation and offer an early warning.

Taking such an approach is an essential way of building cyber resilience. It allows companies to pre-empt threats before they arise. Ultimately, proactively responding to the most widespread CVEs is one way to ensure that supply chain attacks don't become systemic.

Published: July 2024
Updated: March 2026

Sources

1 "Cost of a data breach 2025," IBM, accessed 3 Mar 2026.

1 "Cyber security breaches survey 2025," GOV.UK, 19 Jun 2025.