News

Third-party attacks are one of the most prominent trends within the threat landscape, showing no signs of slowing down, as demonstrated by recent high-profile cyber incidents in the retail sector.

Third-party attacks are very attractive to cybercriminals: threat actors drastically increase their chances of success and return on investment by exploiting their victims’ supplier networks or open-source technology that numerous organizations rely on.

A supply chain attack is one attack with multiple victims, with exponentially growing costs for the those within the supply chain as well as significant financial, operational and reputational risk for their customers.

In a nutshell, in the era of digitization, IT automation and outsourcing, third-party risk is impossible to eliminate.

With supply chains becoming global, multi-tiered and more complex than they have ever been, third-party risks are increasingly hard to understand.

Supply chain attacks can be extremely sophisticated, hard to detect and hard to prevent. Sometimes the most innocuous utilities can be used to initiate a wide-scale attack. Vulnerable software components that modern IT infrastructures run on are difficult to identify and secure.

So, what can organizations do to improve their defenses against third-party risk? We have outlined three areas organizations can take to build meaningful resilience against third-party cyber risk:

Understanding third-party risk is a significant step towards its reduction. This involves several practical steps, such as:

i) Define responsibility for supply chain cyber risk management ownership. This role often falls between two stools - the internal security teams who will focus primarily on protecting the customer, while the compliance and third-party risk management programs who own responsibility for third party risk and conduct, but don’t feel confident addressing cyber risks given their technical bias.

ii) Identify, inventory and categorize third parties, to determine the most critical supplier relationships. From a cyber security perspective, it is important to identify suppliers who have access to your data, access into your environment, those who manage components of your IT management, those who provide critical software, and – last but not least – those suppliers who have an operational impact on your business.

This is a challenging task, especially for large organizations with complex supply chains, and often requires security teams to work together with procurement, finance and other business teams to identify the entire universe of supplier relationships, then filter out those out of scope from a cyber security perspective.

Assess risk exposure by understanding the security controls suppliers deploy within their estate or the security practices they follow during the software development process, and highlight potential gaps. It is important to follow this up with agreement on the remediation actions acceptable to both sides, and to work towards their satisfactory closure. The reality is that suppliers are not always able to implement the security controls their clients require.

Sometimes this leads to client organizations implementing additional resilience measures in-house instead – often dependent on the strength of the relationship and the nature of the security gaps.

Move away from point-in-time assessments to continuous monitoring, utilizing automation and open-source intelligence to enrich the control assessment process. In practice, this may involve identifying suppliers’ attack surfaces and vulnerable externally-facing assets, monitoring for changes of ownership, identifying indicators of data leaks and incidents affecting critical third parties, and monitoring for new subcontractor relationships.

Regrettably, even mature organizations with developed third-party risk management programs get compromised.

Supply chain attacks have led to some of the most striking headlines about cyber hacks in recent years and are increasingly becoming the method of choice for criminals who want to hit as many victims as possible, as well as for sophisticated actors who want to remain undetected while they access sensitive data.

Preparedness and resilience are quickly becoming essential tools in the kit bag of organizations relying on critical third parties.

In practice, the measures that organizations can introduce to prepare for third-party compromise include:

i) Including suppliers in your business continuity plans. For important business processes that rely on critical suppliers or third-party technology, understand the business impact, data recovery time and point objectives, workarounds, and recovery options available to continue operating during a disruption.

ii) Exercising cyber-attack scenarios with critical third parties in order to develop muscle memory and effective ways of working during a cyber attack that may affect both the third party and the client. Ensure both sides have access to the right points of contact – and their deputies – to report an incident and work together on recovery in a high-pressure situation.

iii) Introducing redundancies across the supply chain to eliminate single points of failure. This is a difficult task, especially in relation to legacy suppliers providing unique services or products. However, understanding your options and available substitutes will reduce dependency on suppliers and provide access to workarounds during disruptive events such as a supply chain compromise.

Protecting your own estate is as important as reducing exposure to third-party risk. Strengthening your internal defenses to mitigate damage if a third party is compromised involves a number of important good practice measures, including but not limited to:

i) Enhanced security monitoring of third-party user activity on your network,

ii) Regular review of access permissions granted to third-party users across your network, including timely termination of leavers,

iii) Continuous identification and monitoring of your own external attack surface, including new internet-facing assets and vulnerable remote access methods,

iv) Employee security training and social engineering awareness, including implementation of additional security verification procedures to prevent impersonation of employees and third parties.

As third-party threats evolve and become more prominent, organizations must have a clear view of who they’re connected to and the risks those connections pose. An end-to-end approach to cyber due diligence, encompassing assessment, monitoring, and response capabilities to threats across their supply chains before damage is done.

Third-party risk will remain a challenge for many organizations for years to come, especially as more threat actor groups begin to explore supply chain compromise as an attractive tactic, offering high rewards with relatively low resistance.

Regulators across all sectors are beginning to pay greater attention to supply chain security. Frameworks such as DORA, NIS2 and the Cyber Resilience Act reflect the growing concerns that supply chain security must be a key component of digital strategy. Those who lead on this issue will be best placed to navigate supply chain compromise.

We list the best identity management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

• Microsoft names three Chinese hacking groups it claims were abusing recently discovered flaws in SharePoint
• Hackers were apparently able to access sensitive data
• The company is confident the attacks will keep coming until the systems are patched

At least three major Chinese hacking groups were abusing recently discovered vulnerabilities to target businesses using Microsoft SharePoint, the company has said.

Microsoft recently released an urgent patch to fix two zero-day vulnerabilities affecting on-premises SharePoint servers, tracked as CVE-2025-49704 (a remote code execution bug), and CVE-2025-49706 (a spoofing vulnerability), which were being abused in the wild.

Now, Microsoft is saying that the groups targeting the flaws are Chinese state-sponsored groups - namely Linen Typhoon, Violet Typhoon, and Storm-2603.

Get Keeper's Personal Password Manager plan for just $1.67/month

Keeper is a password manager with top-notch security. It's fast, full-featured, and offers a robust web interface. The Personal Plan gets you unlimited password storage across all your devices, auto-login & autofill to save time, secure password sharing with trusted contacts, biometric login & 2FA for added security.View Deal

The first two are part of the larger “typhoon” operation, counting at least half a dozen organizations, including Brass Typhoon, Salt Typhoon, Volt Typhoon, and Silk Typhoon.

In the last couple of years, these groups were attributed with breaches into critical infrastructure organizations, government, defense, and military firms, telecom operators, and similar businesses, across the western world and NATO members.

Some researchers are saying that these groups were tasked with persisting in the target networks, in case the standoff between the US and China over Taiwan escalates into actual war. That way, they would be able to disrupt or destroy critical infrastructure, eavesdrop on important conversations, and thus gain the upper hand in the conflict.

At least seven major telecommunications operators in the United States have recently confirmed discovering Typhoon operatives on their networks and removing them from the virtual premises.

"Investigations into other actors also using these exploits are still ongoing," Microsoft said in a blog post, stressing that the attackers will definitely continue targeting unpatched systems.

SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 were said to be affected. SharePoint Online (Microsoft 365) was secure.

Microsoft recommends customers to use supported versions of on-premises SharePoint servers with the latest security updates immediately, and says users should ensure their antivirus and endpoint protection tools are up to date.

• Microsoft releases urgent SharePoint security flaw patches - here's what you need to know, and how to update
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

• Running an old OS like Windows 10 could soon pose cybersecurity issues
• Upgrading could reveal software compatibility issues, report notes
• The clock is now ticking to avoid a rushed Windows 11 migration

New research has uncovered some of the finer details around why many businesses are still being cautious with their approach to Windows 11 migration, with security threats and financial impacts proving to be major hurdles.

The report from Panasonic found nearly two-thirds (62%) of devices need replacing or upgrading for Windows 11 compatibility, highlighting the scale of the problem – a figure that rises to 76% among larger organizations with 5,000+ employees.

However, despite migration-related concerns, the study claims many organizations still recognize the benefits of upgrading from Windows 10 and older operating systems.

Panasonic found 94% fear increased ransomware and malware risks if they don't upgrade, with 93% also concerned about data breaches. But two in three noted overall higher costs associated with migrating to Windows 11, with 55% stating that it could add to cybersecurity expenses.

Nearly half also noted software compatibility issues (47%) and productivity loss during downtime (45%), and for many (25%), hardware upgrades come with software upgrades, compounding the financial impact of OS upgrades.

However, with Microsoft estimating that ESU could cost around £320,000 over three years for 1,000 devices, the need to upgrade is clear.

Around a third each acknowledge that upgrading will give them better performance and processing power (36%), a more future proof ecosystem (36%) and access to AI features like Microsoft Copilot (34%).

Panasonic TOUGHBOOK Europe Head of Go-to-Market Chris Turner commented: "The window is closing for organisations to make a well-planned, measured and cost-effective transition to Windows 11 and start unlocking its benefits."

"Organisations that are still to undertake Windows 11 migration need support to ensure their deployment is not rushed and risky," Turner added.

• Windows 10 users who don’t want to upgrade to Windows 11 get new lifeline from Microsoft
• We've listed the best business laptops and best mobile workstations for the best portable upgrades
• Check out our roundup of the best productivity software

The AI hype felt relentless in 2023/24. While the initial frenzy has subsided somewhat, executives and professionals now grapple with the reality of deploying Artificial Intelligence (AI), specifically Generative AI (GenAI), within their organization.

LLMs (Large Language Models), the technology behind popular GenAI chatbots, are powerful, but there remains a significant disconnect between the perception of what they can do and their practical application for business writing.

Easy to use interfaces like ChatGPT make GenAI seem like it "can literally do anything".

This is a dangerous misconception. While incredibly useful for certain tasks, GenAI chatbots can be totally useless, and even harmful when not used appropriately.

The fundamental difference lies in how GenAI works compared to traditional software.

1. Traditional software is deterministic

It follows fixed logic and algorithms, producing the exact same, 100% accurate, and therefore repeatable result every time you give it the same input. Think of hitting CTRL+F in Word – you get a precise, repeatable count of a term.

2. Generative AI is non-deterministic

LLMs predict the next word based on probabilities from their training data. This means asking the same question twice will often give you different answers. They are designed to be variable.

This core difference results in two critical characteristics businesses must understand:

1. Hallucinations: GenAI can confidently generate incorrect information or make things up. This isn't a bug; it's how the technology works. It's guessing based on patterns, not verifying facts. Copilot, for example, can wildly miscalculate readability scores or miss most instances of a search term.

2. Lack of Repeatability: You simply cannot guarantee the same output from the same prompt.

Here is the absolute critical takeaway: if your writing or document review task requires 100% accuracy or 100% repeatability, you must use deterministic software, not GenAI. Using GenAI for tasks demanding precision is a classic case of wielding a "GenAI hammer" and seeing every problem as a nail.

Consider the disastrous consequences. I’ve used MS Copilot to search for every instance of "cybersecurity" in a contract for compliance purposes, only for the GenAI tool to miss 23 out of 27 occurrences. Trying to "shred" a document line-by-line into an Excel matrix for compliance, a task requiring perfect repeatability, is another inappropriate use case where GenAI will fail.

For businesses, especially in regulated sectors, using GenAI for tasks where factual accuracy is paramount is dangerous. Users may trust outputs due to brand credibility, not realizing the risks of inaccuracy.

Real-world failures like Air Canada's chatbot providing false information resulting in a lawsuit underscore the significant brand and trust damage inaccurate GenAI can cause.

GenAI thrives for tasks where variability, creativity, or a "good enough" answer is acceptable or desired.

Appropriate use cases include:

• First Draft Creation: Generating initial versions of documents like management plans, executive summaries, or proposal sections based on context. This can save significant time.
• Creative Assistance: Rewriting content in a different tone or style.
• Summarization: Condensing lengthy documents.
• Simplification/Rephrasing: Making complex text more accessible or refining paragraphs.
• Research & Analysis: Using public data for competitive analysis or sales research where perfect accuracy on every detail isn't required for generating insights. Using NLP (another type of AI) for thematic analysis across communications to check message consistency.

Beyond simple chatbots, the real value often lies in specialized applications. These layer GenAI into workflows for specific jobs, intelligently combining GenAI for creative/drafting tasks with deterministic software for accuracy-critical functions like readability scoring or compliance checks.

They understand the "job to be done" and apply the right technology. NotebookLM, which generates audio summaries of documents, is a great example of a focused application.

Generative AI, even when combined with techniques like Retrieval Augmented Generation (RAG) to access proprietary data, is not a magic wand that can overcome poor data quality. The old adage "garbage in, garbage out" is more relevant than ever. If your internal knowledge bases are a mess of outdated content, multiple revisions, and poorly tagged documents, the AI's output will reflect that chaos.

As the Harvard Business Review noted, "Companies need to address data integration and mastering before attempting to access data with generative AI". Good data hygiene – clear folder structures, naming conventions, and processes for maintaining content – is crucial but is fundamentally a human behavior problem, not just a tech one. Investing in proper knowledge management now will pay dividends when you roll out any GenAI solution.

Many popular AI chatbots rely on public cloud-based LLMs. For businesses, especially those in regulated industries like defense, finance, and healthcare, feeding proprietary or sensitive or PII (Personally Identifiable Information) data into these public models poses a significant security risk. CISOs (Chief Information Security Officers) are rightly wary, often blocking interactions with such models entirely.

The safer path for enterprises involves hosting LLMs in a private cloud or on-premise, fully locked down behind the firewall. The rise of powerful open-source models like Llama 4 or Mistral Nemo which can be deployed securely in-house, is a welcome trend. This shift is so significant that a Barclays CIO survey last year indicated 83% plan to repatriate some workloads from the public cloud, largely driven by AI considerations.

Most AI projects fail not due to the technology, but because of people, process, security, and data issues. Lack of buy-in, poor strategy, inadequate data, and insufficient change management and user education are common pitfalls.

Deploying AI chatbots without teaching users about:

• Hallucinations
• The need to verify outputs
• Effective prompting
• Crucially, what tasks not to use GenAI for

...will lead to frustration and project failure.

Start with the business problem you need to solve, then map the appropriate technology to that job. Don't just chase the "shiny new tech". Define your goals, measure success (both quantitative and qualitative), and involve end-users early.

When evaluating vendors, look beyond captivating demos. Ask pointed questions about accuracy, repeatability, data handling, security posture, and their understanding of your specific use cases and industry needs. Always try before you buy and vet vendors carefully. Be wary of vendors who overpromise or claim GenAI can do everything.

In summary, popular AI chatbots offer exciting capabilities, but they are not magic. They are powerful tools with significant limitations. Successful businesses will adopt a pragmatic, thoughtful approach: understanding GenAI's non-deterministic nature, applying it strategically to appropriate tasks (like creative drafting), leveraging hybrid applications, investing in data quality and security, and crucially, focusing on the people and processes required for effective adoption and change management.

This is the path to truly unlocking AI's value.

I tried 70+ best AI tools.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro