Despite years of warnings, supply-chain risk remains one of the most fragile and underestimated aspects of cybersecurity.
Many of this year’s most disruptive and high-profile cyber incidents shared one key factor; the attacker’s route into the target company was through a third-party provider.
CEO and co-founder of ThreatAware.
A fundamental truth of cybersecurity is that you can’t control what you can’t see, and that risk multiplies when it stems from an external third-party provider, supplier or partner within your supply chain rather than inside the network.
Yet many organizations still rely on self-assessed questionnaires and outdated compliance certificates as proof of safety.
Until organizations can verify the security of every partner in real time, they’ll continue to depend on assumptions rather than assurance and that’s a dangerous position when attackers already understand the weak points in your supply chain better than you do.
Why do supply-chain attacks keep happening?
One of the key reasons is that attackers want to make the best return on their efforts, and have learned that one of the easiest ways into a well-defended enterprise is through a partner. No thief would attempt to smash down the front door of a well-protected building if they could steal a key and slip in through the back.
There’s also the advantage of scale: one company providing IT, HR, accounting or sales services to multiple customers may have fewer resources to protect itself, that’s the natural point of attack.
Smaller suppliers, service providers and contractors often lack the budget and resources to implement the same level of protection as the larger organizations they support, yet they frequently hold privileged access to multiple environments.
It’s a widespread problem that needs a concerted effort to address, but the response has so far fallen short. Most supplier checks still revolve around spreadsheets, surveys, and certificates that are self-verified and static.
Schemes like Cyber Essentials, ISO 27001 or SOC 2 offer structure, but they only confirm that good intentions were once there, and don’t tell you what’s true today.
These schemes do have value, but they only ever offer a point-in-time snapshot. In reality, security posture changes daily. A certificate on a website tells you nothing about whether multi-factor authentication is enforced, devices are encrypted, or endpoints are patched.
When the nature of cyber risks changes so quickly, yearly audits of suppliers can’t provide the most accurate evidence of their security posture. The result is an ecosystem built on trust, where compliance often becomes more of a comfort blanket.
Meanwhile, attackers are taking advantage of the lag between each audit cycle, moving far faster than the verification processes designed to stop them.
Unless verification evolves into a continuous process, we’ll keep trusting paperwork while breaches continue to spread through the supply chain. Every vendor relationship then becomes a blind spot waiting to be exploited. If you’re not measuring the security of those connections constantly, you’re not improving them.
You can’t secure what you can’t see
Even within a single organization, most security teams still struggle to see the full picture. Across countless environments I’ve reviewed, there are always devices, accounts or applications that have slipped through the cracks.
In some cases, we find organizations discover as many as 30% more devices than they had thought existed. If we can’t maintain complete visibility inside our own walls, it’s unrealistic to think we can understand the security posture of hundreds of external partners.
So, how do organizations start closing this visibility gap?
What continuous verification looks like
Every company – whether supplier or client – should be able to demonstrate its level of proactive defense in real time. That means verification that’s continuous, data-driven and indisputable.
Imagine a certificate that automatically refreshes using live data to show your current status – one that can’t be faked, because it’s directly tied to the systems you’re running and the defenses you have in place.
Automation makes this achievable. Continuous monitoring can confirm whether controls like endpoint protection, MFA or patching are active and working. Shared dashboards between clients and suppliers could provide a transparent view of security health across the chain.
In that world, suppliers aren’t just claiming they’re secure – they’re proving it. Proof, not promises, is what will finally build resilience into the supply chain.
Changing the culture of third-party assurance
Technology alone won’t fix the supply chain problem, and a change in mindset is also needed. Too many boards are still distracted by the next big security trend, while overlooking the basics that actually reduce breaches.
Breach prevention needs to be measured, reported and prioritized just like any other business KPI. If a supplier can’t demonstrate that its defenses are in place and working, that should be treated as a performance failure, not a technical issue.
For years, cybersecurity has been treated as a compliance task — something to pass once and revisit later. That culture has to end. The future of assurance lies in continuous accountability, where every organization in the chain can prove that it’s secure.
Proving trust, not assuming it
Every organization’s security is defined by the strength of its weakest link, and in many cases that will be a third-party connection. Attackers already understand that, even if many businesses don’t.
Self-attested audits and static certificates no longer reflect the reality of how fast threats evolve. The only way to build real resilience is to move from assumption to evidence — from trust to proof. Continuous, data-driven verification must become the new standard for supply-chain security.
Until we can prove, in real time, that our partners are as secure as we believe them to be, the supply chain will remain the easiest way for attackers to walk straight through the front door.
We’ve featured the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
https://cdn.mos.cms.futurecdn.net/YbizeHRMkF5QLe6eeYypqc-1268-80.jpg
Source link
