Considering security risks from third parties in the supply chain

Simon Eyre, chief information security officer at Drawbridge, discusses how organisations can mitigate security risks brought by third parties in the supply chain

The saying might be ‘no man is an island,’ but it’s as applicable to companies as it is to individuals. Businesses are as much a product of their supply chains and the ecosystems they are part of as they are of their own operations – and even the biggest companies need support from third parties.

Nowhere is that truer than when it comes to the technology stack a business deploys. While a service-based business will not require a physical supply chain as it does not sell manufactured goods, it will require a dense network of third parties to provide it with the software and services that make it work.

The hidden, yet growing attack surface area

In security, we often talk about attack surface area – those parts of the organisation exposed to cyber threats. You’ll often read about it in articles looking at digital transformation and how digitalisation, while necessary for operational effectiveness and commercial growth, also increases risk.

That conversation often leaves out that as a company digitises its processes, its attack surface area is not just all the bits of its operation that are now online; it grows to encompass its broader vendor and supplier network.

This represents a massive risk and, according to data, one many are not considering. While 56% of organisations expect an increase in reportable incidents in 2022 from attacks on the software supply chain, only 34% have formally assessed their enterprise’s exposure to this risk. Another survey found that 58% of companies are not able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach.

More software means more risk

It’s not hard to see why this is the case. Managing your own cyber security is hard enough. From protecting often newly mobile users (and their endpoints) to protecting data both in transit and at rest, as well as ensuring employees maintain cyber hygiene in hybrid and remote work environments, protecting an enterprise in the digital era is a significant challenge. Extend that to vendors, and it only adds another layer of complexity.

Businesses must be able to trust that their vendors have the same enterprise security protocols and standards. And while one would hope that tech businesses would be among the leaders when it comes to cyber security, it’s dangerous for any business to become complacent and assume it is safe.

Where does that leave companies that want to protect themselves from the increased exposure of their software supply chain? Today, it means they must drastically strengthen their third party, vendor and supply chain risk with proactive, continuous monitoring and rapid response.

The three steps to protect against software supply chain security breaches

First, enterprises need to know what bad looks like. This means knowing how information flows across their organisation and vendors. Understanding these movements does two things: it allows defences to be mapped and resources deployed to mitigate against potential weak areas; and it allows for businesses to know what legitimate data is and identify potential threats.

This is critical, as being able to share information quickly is at the heart of digital enterprises. If information is being held up through onerous security checks, the company may remain safe, but it may also lose out on opportunities. Understanding what data should be coming in and where it might have potentially been hijacked or directed away from its intended recipient allows for efficient operational performance, while also providing a layer of protection.

This defence is improved through step two: continuous monitoring. That means never assuming something is legitimate until it proves it is. In other words, taking a zero trust approach and constantly examining every interaction and engagement. We’ve all read about the house purchases that have been hijacked when buyers received emails from solicitors asking for funds to be deposited into different accounts. Often the emails are, effectively, legitimate – the solicitors’ accounts may have been compromised – and so the unsuspecting buyers do as instructed, and only realise their error when said solicitor rings up asking where the money is.

The same thing can happen in a business relationship, except rather than just money being transferred, it might be a compromised application being downloaded, or an infected email attachment that allows bad actors access to corporate networks and data. Through continuous monitoring, systems and vulnerabilities are repeatedly checked and any breaches are identified immediately.

And this leads us to step three: being rapid in response. As soon as a breach occurs, whether it’s within an organisation or as part of a third party, an incident response plan must kick into high gear. In such an incident, the worst thing anyone can do is nothing; even shutting everything down and notifying customers is better than not reacting at all.

But that does require a plan. Or rather, plans, because having a large attack surface area does mean a greater variety of potential breaches. When those incidents cover third party compromises, response plans should be built with vendors’ input: how will they react; what will the communication look like; and how will you as an organisation respond? Every business has different stakeholders and processes to accommodate, but nothing should be assumed when building a plan to mitigate the impact of cyber attacks.

Combatting reality

Ultimately it is a case of when, not if, a breach will occur — and that’s the same for every organisation up and down the supply chain, thanks to our interconnected world. But businesses should not fear. If you can implement clear proactive response plans, continuously monitor every vendor and supplier that interacts with the organisation and create a clear picture of where the weaknesses are located, you’ll begin to understand what bad looks like. And that will make any business and third party better placed to react quickly and mitigate the impact of future cyber threats.

Written by Simon Eyre, chief information security officer at Drawbridge


Supply chain security is broken – what is the next move for CISOs? — Martin Tyley, head of UK cyber at KPMG, discusses how CISOs should go about fixing vulnerabilities within supply chain security.

How to maximise value from IT vendor collaborations — In the first of a series exploring the importance of IT partnerships, Jarosław Granat, head of client engagement at Future Processing, shares his advice on how to maximise value from vendor collaborations.

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at