Your supply chain is your biggest cybersecurity risk – not your size

42 percent of Swedish organisations have low supply chain maturity. Being small doesn't protect you – it makes you the weakest link.

Cybersecurity · · 4 min read

The Swedish Cybersecurity Act has been in force for three months. And the single biggest weakness across Swedish organisations isn’t cloud, isn’t AI and isn’t even ransomware itself. It’s the supply chain.

The OneMore Secure Cybersecurity Maturity Report 2025 surveyed over 750 Swedish organisations. 42 percent show low maturity in supply chain security. That’s not a marginal figure. It’s the largest single weakness on the map.

But the most dangerous part isn’t the statistic. It’s what the statistic hides.

42 percent isn’t a technical gap. It’s a governance gap

Low supply chain maturity rarely means someone is missing a tool. It means nobody has decided who owns the risk, which suppliers are business-critical, or what happens when one of them stops working.

The same report shows that over 25 percent lack continuity plans and nearly 40 percent lack data classification. These are the same gaps that have been reported since 2010: patching, segmentation, backup, identity management.

Knowledge isn’t the problem. Decisions are.

The myth: “we’re too small to be a target”

I hear this one all the time. It’s also one of the most dangerous things a leadership team can believe.

Attackers don’t care how big you are. They care how easy you are to break into.

ENISA’s Threat Landscape 2025 analyses 4,875 incidents between July 2024 and June 2025. The conclusion is direct: small and medium-sized organisations are now high-value targets.

Attacks are being industrialised. 60 percent of intrusions start with phishing. Over 80 percent of campaigns now use AI-generated content. When attacks cost almost nothing to scale, it doesn’t matter how small you are. What matters is whether you’re vulnerable.

And if you’re thinking “but the law doesn’t apply to us” — pause there. Organisations in scope of the law are forced to build structures to manage risk. Organisations outside the scope face the same threats without any obligation to act. Fewer resources, thinner margins, less room to handle an incident.

You can be outside the law, but not outside its requirements

There’s another dimension many people miss.

Do you provide services to an organisation that is covered by the Cybersecurity Act? Then the law requires them to manage the risk you represent.

In practice, that means contractual security requirements, audit rights and incident reporting obligations. You don’t need to be in scope of the law yourself to be hit by it.

This is how regulation spreads through the ecosystem. Not through direct supervision. Through contracts.

Three patterns we see in practice

The business with no ransomware plan

They have backup. They even have a firewall. But nobody has tested recovery.

When something happens, they discover the backup is three weeks old, and that nobody knows who decides whether to pay the ransom.

The IT provider who never asked who owns the risk

They sold the tools and installed them. They signed a standard contract. But when the customer’s environment is breached, there’s nobody in the organisation who can answer what’s their responsibility and what’s the customer’s.

The organisation that allows personal devices without control

Staff connect from their own laptops. VPN exists, but there’s no MDM and no per-device access control. When one device is compromised, the entire internal environment is exposed.

What all three have in common: they aren’t technical mistakes. They’re decisions that were never made.

Why the same gaps persist year after year

Technical problems get technical attention. Decision problems get none at all, until something is on fire.

That’s why the same gaps persist year after year. Leadership accountability for cybersecurity is tightening in the law, but if nobody in leadership owns the question in practice, nothing changes. The system rolls on until an incident forces a decision that should have been made years earlier.

Start with the decisions

You don’t need a full-scale ISMS to get going. You need answers to three questions:

  1. Which systems can you not afford to lose for even a day? Not “which systems are important” but which ones would stop the business if they went down for 24 hours.
  2. Who has the authority to act when something goes wrong? Not “who runs IT” but who can, under pressure, shut down systems, call in outside help or notify customers.
  3. Are you allocating resources by risk or by size? If the cybersecurity budget scales with revenue instead of threat, that’s a symptom that the decision was never grounded in reality.

Answering these questions honestly doesn’t require technical expertise. It requires that leadership actually sits down and makes decisions. That’s where the work starts — not in a governance framework, and definitely not in a tool.

Small doesn’t mean safe

Small doesn’t mean safe. Being outside the law doesn’t mean being outside the risk. Anyone who is easy to break into is attractive, regardless of revenue.

Who owns your most important technology risk today — not in theory, but in practice?

If you can’t answer that question right away, that’s where you need to start. Contact us for a complimentary assessment.

Author

KB
Kim Borg

Founder & CEO

25+ years of experience in IT leadership, from software developer and Scrum Master to IT Director and Group CIO. Deep expertise in ISO 27001, NIS2, risk management, and information security governance. Educated in ISMS at the University of Skovde.

More insights

Related articles

Ready to strengthen your cybersecurity?

Book a free meeting and we will discuss how we can help your organisation meet the new requirements.

Book a meeting