Cyber attacks are no longer just a concern for big companies. In today’s digital world, every business, regardless of size, is at risk. This shift has become clear over the last decade, as smaller organizations find themselves increasingly vulnerable to the fallout from cyber incidents, especially those involving their suppliers.
Serene Davis, QBE’s global head of cyber, emphasized that the myth that smaller companies can escape notice is dangerous. She stated that a company’s risk is less about its size and more about its relationships with vendors and the complexity of its operations. With businesses more interconnected than ever, a single weak link in the supply chain can lead to widespread disruptions.
Recent data from QBE highlights a troubling trend: the number of significant cyber attacks has nearly doubled from 2020 to 2024, rising from 103 to 196 incidents. By the end of 2025, experts expect to see even more cyber activity. Davis noted that while some events might cause temporary slowdowns, the overall trend points upward.
A report by Control Risks, commissioned by QBE, revealed that 52% of businesses with 100 to 2,000 employees experienced a cyber attack in the past year. Alarmingly, 59% of these attacks were linked to third-party suppliers. This statistic underscores the growing threat posed by supply chain vulnerabilities. Additionally, nearly half of the companies hit by cyber attacks reported losing revenue due to the disruptions.
Davis pointed out a significant blind spot for many organizations: inadequate assessment of third-party risks, particularly from non-technology vendors. She explained that the security measures of suppliers vary widely, and some companies lack backups or incident response plans. This inconsistency can lead to severe consequences when a supplier experiences a cyber incident.
Geopolitical tensions also play a role in increasing cyber risks. Between 2023 and 2024, Europe and North America saw a 42% rise in significant cyber incidents, largely attributed to the ongoing war in Ukraine. Furthermore, the rise of generative artificial intelligence (Gen AI) poses new challenges. Last year, 10% of successful cyber attacks involved deepfakes or other AI tools, highlighting how attackers are exploiting these technologies.
Despite the risks, businesses are rapidly adopting AI, with 67% already using it in some form. Many believe it will positively impact their economies in the near future. However, Davis warned that while AI can improve efficiency, it also expands the potential attack surface for cybercriminals.
To combat these challenges, Davis recommends that organizations thoroughly map their vendor dependencies. Understanding the tiers of suppliers and their reliability can help identify potential weaknesses and prepare for disruptions. While some companies may need to consolidate suppliers for cost reasons, it’s crucial to establish strong incident response and business continuity plans.
As the landscape of cyber threats evolves, Davis believes that insurers and brokers have a responsibility to guide businesses in managing these risks. She emphasizes that cyber insurance is essential for companies of all sizes and that its value often becomes clear only after an incident occurs. Simplifying the conversation around cyber insurance is vital so that businesses recognize its importance and can better protect themselves against potential threats.