The scene unfolding right now

"We have implemented all best practices. Our firewall is first-class."

That’s what we heard from a client—shortly before their cloud provider was hacked. And suddenly, none of it mattered.

The problem: You control your security only up to your supplier’s door. After that, you have no visibility.

And that is exactly what attackers exploit. They no longer attack the fortress. They knock on the back door.

SolarWinds, MOVEit, Log4j — the lessons

SolarWinds (2020): Attackers hacked the software vendor and modified an update. 18,000 customers unknowingly downloaded malware. U.S. government agencies, Fortune 500 companies—everyone was compromised.

MOVEit (2023): An SQL injection vulnerability in file transfer software. Millions of records were stolen. The vendor knew about the issue—but responded too slowly.

Log4j (2021): An open-source library embedded in billions of systems. One bug—and suddenly everyone is affected who has this library somewhere in their stack.

The pattern is always the same: You were not attacked. Your supplier was attacked. Or your supplier’s supplier.

(By the way, this is not a theory. This happens all the time.)

We examine this aspect in The 5 Dimensions of Operational Resilience: A Framework for Companies.

Why the problem is growing

Every additional supplier increases your attack surface. A company with 50 suppliers does not have 50 times more risk—it has exponentially more.

You are liable, not your supplier. If your cloud provider is hacked and customer data is lost—who is responsible? You. GDPR, NIS2, and other frameworks make this clear.

You cannot see the supply chain. You know your direct suppliers. But their suppliers? Almost no one knows what is happening there.

Complexity keeps increasing. CRM, accounting, HR systems, security tools, APIs, plug-ins. Every touchpoint is a potential entry point.

The six types of supplier risk

1. Direct access

Your hosting provider has root access. Your security provider sees your firewall logs. Your CRM partner has customer data.

If this supplier is compromised, the attacker immediately gains access to your critical systems.

2. Software dependencies

Your vendor uses open-source libraries. These in turn have their own dependencies. One bug anywhere in this chain—and you are affected without even knowing it.

3. Data sharing

Your marketing tool has customer data. Your analytics provider has usage data. What happens to this data if your supplier is hacked?

4. Service dependency

What happens if your cloud provider goes down? If your DNS provider is hacked? Suddenly your domain no longer points to you—but to the attacker.

5. Fourth-party risks

Your supplier has suppliers. And they have suppliers. Log4j was exactly that—a bug in a library your supplier used without knowing it.

6. Compliance inheritance

You must be GDPR-compliant. If your supplier stores data in the U.S. without adequate protective clauses—you are automatically no longer compliant.

Our article The Real Costs of Inadequate Ransomware Preparedness offers a deeper look.

What you can do

Before engagement:

• Ask for certifications (ISO 27001, SOC 2). It is not a guarantee, but it is a signal.

• Ask about data storage: Where is the data? Who has access?

• Ask about incident response: What happens if they are hacked?

In the contract:

• Document clear security requirements

• Secure audit rights

• Define incident notification obligations

• Include emergency exit clauses

Ongoing:

• Review critical suppliers regularly

• Set up news alerts for security incidents involving your suppliers

• Annual reassessments for the top 10

If it happens:

• Contact the supplier immediately

• Understand the scope: Which of your data is affected?

• Escalate internally

• Inform customers if necessary

The most common mistake

The biggest mistake: checking only once and then forgetting.

A supplier that is secure today can be hacked tomorrow. Security is not a checkbox—it is an ongoing process.

A company we worked with had assessed its cloud provider two years earlier. Everything was fine. Then the provider was hacked. The assessment from two years ago was worthless.

What you can do

1. List your critical suppliers—not all of them, only those that have data or access to your systems.

2. Prioritize by risk—your cloud provider is critical. Your coffee supplier is not.

3. Ask the top 5: Do they have certifications? What does their incident response plan look like?

4. Review your contracts—are there audit rights? Incident notification obligations?

5. Set up alerts—Google Alerts for "[supplier name] security breach" is better than nothing.

The bottom line

Your security is only as strong as the weakest point in your supply chain.

You can have the best firewall. You can have the best team. But if your supplier is hacked—you are compromised too.

The companies that understand this assess their suppliers regularly. They have clear contracts. They have alerts in place. They know what to do when it happens.

The others? They hope it won’t happen.

(Spoiler: It will happen. The only question is when.)

Want to know how strong your supplier security really is? We conduct third-party risk assessments for Swiss companies—pragmatic and without fear-mongering. Talk to us.