25 Sep The Hidden Victims of Cyber Crime: UK’s Small SuppliersWhy smarter, more inclusive supply chains are the only way forward

By Matt Dabrowski

Jaguar Land Rover. Co-op. Marks & Spencer. Three of the UK’s most recognisable brands, all recently hit by major cyberattacks.For companies of that scale, the disruption is painful — but survivable. They have brand equity, deep balance sheets, and in some cases, cyber insurance to soften the blow. Smaller suppliers don’t. For the family-run engineering firm in Coventry, the LGBTQ+-owned creative agency in Manchester, or the logistics provider in Cardiff, one large client going offline for weeks can mean cash drying up, jobs disappearing, and doors closing for good.

The ripple effect of big business breachesLet’s take the recent incidents:

• Co-op reported that its April attack drove £206m in lost revenue and cut £80m from operating profit in just six months.
• M&S estimates a £300m impact on profits in 2025/26.
• JLR was forced to halt production entirely — with the UK government even considering emergency plans to buy directly from its suppliers to stop them going under.

These numbers make headlines. But the hidden story is in the supply chain: smaller businesses left waiting on payments, juggling payroll, or scrambling to cover rising operating costs while orders stall.

The danger of all eggs in one basketToo many SMEs rely on one “anchor” client for the majority of their revenue. When that client goes down, so do they. And in today’s economy — with higher costs, rising National Insurance contributions, and fewer growth opportunities — those gaps can be fatal.For corporates, losing a supplier isn’t just inconvenient. It slows recovery, increases costs, and often means looking overseas to replace lost capacity — weakening UK jobs and skills in the process.

Cyber attacks hit small businesses hardestThe government’s Cyber Security Breaches Survey 2025 reveals:

• 42% of small firms experienced a cyber incident this year (67% for medium-sized, 74% for large).
• The average direct cost for an SME breach is £7,960 — before factoring in reputational harm or lost opportunities.

For a small, diverse supplier already fighting for growth and cash flow, that’s enough to tip the balance from survival to closure.

What big business must do differentlyThis is bigger than patching firewalls and writing press releases. If corporates want resilience, they need smarter, more inclusive supply chains. That means:

• De-risking dependency. Don’t rely on a handful of large vendors, and don’t force SMEs into single-client dependence.
• Incident-ready payment protocols. When systems go down, accelerate payments to suppliers. JLR had to move to manual payments — but that playbook should be built in, not improvised.
• Investing in supplier resilience. Support SMEs with co-funded cyber security, cyber insurance, and simple incident response training. Make these safeguards a strength, not a tick-box.
• Dual-sourcing with purpose. Build in second-source capacity with smaller, UK-based diverse suppliers — so when disruption hits, you have flexible options close to home.

What SMEs must do to survive

• Diversify your customer base. Don’t let any one client make up more than a third of your revenue.
• Get cyber basics right. Multi-factor authentication, offline backups, and a tested incident response plan should be non-negotiable.
• Know your contracts and cover. Understand your SLAs and force majeure clauses, and make sure your insurance reflects your actual risks.
• Protect your cash flow. Shorten invoice cycles, split milestones, and build a 90-day buffer where possible.

Why inclusive supply chains are the resilience strategyHere’s the bottom line: diverse, smaller suppliers aren’t just a “nice to have.” They’re the key to building flexible, innovative, and resilient supply chains.LGBTQ+-owned businesses, women-owned firms, veteran-owned companies, social enterprises — they bring agility, community ties, and the ability to pivot faster than giants. Embedding them isn’t charity. It’s smart risk management, economic common sense, and the way to keep jobs — and opportunity — here in the UK.

OutBritain’s call to actionWhen a major cyberattack hits, the headlines focus on the corporate giants. But the real cost is carried by the small businesses in their shadow.If you’re a corporate, supplier diversity is not a gimmick — it’s your resilience strategy. If you’re a small business, don’t bet your survival on a single client.Because the next cyberattack won’t just test your systems. It will test your ecosystem.At OutBritain, we’re here to make that ecosystem stronger, more inclusive, and built to last.
References

• Reuters – “Co-op reports £206 million revenue hit after April cyberattack” (September 2025)
• The Times (Business) – “Co-op attack wipes £80 million off operating profit” (September 2025)
• Marks & Spencer Group plc – Trading Update and Outlook Statement (July 2025)
• Financial Times – “Jaguar Land Rover halts production following cyberattack; government explores direct supplier support” (September 2025)
• The Guardian – “JLR suppliers face crisis as automaker grapples with fallout of cyber breach” (September 2025)
• UK Government (DSIT) – Cyber Security Breaches Survey 2025 (March 2025)
• BT & Be the Business – SME Cyber Security Report 2025