Yannick H.,
Too Long; Didn't Read
You can have the best firewall, the best team, and the best processes. If your supplier is hacked, you are compromised too. The biggest cyberattacks in recent years did not come through the front door, but through the supply chain.
The Scene Playing Out Right Now
"We have implemented all best practices. Our firewall is top-notch."
That is what we heard from a customer, just before their cloud provider was hacked. And suddenly, all of it became irrelevant. The best firewall in the world will not protect you from a compromised supplier.
The problem: You only control your security up to your supplier's door. After that, you no longer have visibility.
And that is exactly what attackers exploit. They no longer attack the fortress. They knock on the back door. And they know very well that most companies are not looking there. Why break down the strongest door when the side door is open?
SolarWinds, MOVEit, Log4j: The Lessons
SolarWinds (2020): Attackers hacked the software vendor and modified an update. 18,000 customers unknowingly downloaded malware. U.S. government agencies, Fortune 500 companies, all compromised. No one had the supplier in their sights.
MOVEit (2023): An SQL injection vulnerability in a transfer software product. Millions of records stolen. The vendor knew about the problem but responded too slowly. Affected companies first learned about the vulnerability from the news ticker, not from their supplier.
Log4j (2021): An open-source library embedded in billions of systems. One bug, and suddenly everyone is affected who has this library anywhere in their stack. Many companies did not even know they were using the library at all.
The pattern is always the same: You were not attacked. Your supplier was attacked. Or your supplier's supplier. These kinds of attacks have not become less common.
We explore this aspect in The 5 Dimensions of Operational Resilience: A Framework for Companies.
Why the Problem Is Growing
Every additional supplier increases your attack surface. A company with 50 suppliers does not have 50 times more risk, but exponentially more. Because every supplier brings its own tools, dependencies, and blind spots.
You are liable, not your supplier. If your cloud provider is hacked and customer data is lost, you bear the responsibility. GDPR, NIS2, and other frameworks make this clear. The supplier rarely pays the fines; you carry the reputational damage.
You do not see the supply chain. You know your direct suppliers. But their suppliers? Practically no one knows what is happening there. Log4j demonstrated this in a brutal way.
Complexity keeps growing. CRM, accounting, HR systems, security tools, APIs, plug-ins. Every touchpoint is a potential entry point, and most of them are not even on the radar as security risks.
Regulatory requirements are tightening. NIS2 and DORA explicitly require you to assess and document the risk of your IT suppliers. What used to be informal best practice is becoming mandatory. Anyone who cannot prove at the next audit which suppliers were classified as critical and what was reviewed will be in a difficult position.
Which Suppliers Are Critical?
Not all suppliers need the same level of attention. The key question is: Which supplier would cause the greatest damage if compromised?
A supplier is considered critical if it has direct access to your systems or data, operates a service without which your business would stop, or carries regulatory implications.
In practice, these are usually: cloud providers, CRM systems, hosting and DNS, HR software, accounting solutions with banking connections. On this short list, you can work with real diligence without getting lost in the details.
The Six Types of Supplier Risks
1. Direct Access
Your hosting provider has root access. Your security provider sees your firewall logs. Your CRM partner has customer data. If that supplier is compromised, the attacker immediately has access to your critical systems without you noticing.
2. Software Dependencies
Your vendor uses open-source libraries. Those libraries have their own dependencies. One bug somewhere in that chain, and you are affected without knowing it. Log4j was exactly that: a library buried deep in the stack that no one knew was there at all.
3. Data Sharing
Your marketing tool has customer data. Your analytics provider has usage data. What happens to that data if your supplier is hacked? And who informs whom within what timeframe? Most companies only clarify these questions when it is too late.
4. Service Dependency
What happens if your cloud provider goes down? If your DNS provider is hacked? Suddenly, your domain no longer leads to you, but to the attacker. Business continuity and vendor risk are therefore not separate issues.
5. Fourth-Party Risks
Your supplier has suppliers. And those suppliers have suppliers. This depth is hardly fully controllable, but you can require your direct suppliers to understand their own supply chain and provide information on request.
6. Compliance Inheritance
You must be GDPR-compliant. If your supplier stores data outside the EU without appropriate safeguards, you are automatically no longer compliant. The same applies to industry standards such as ISO 27001 or sector-specific regulations.
For a deeper look, see our article The True Costs of Poor Ransomware Preparedness.
What You Can Do
The goal is not a perfect vendor risk program. The goal is to close the most important gaps before someone else exploits them. Start with your critical suppliers, not all of them at once.
Before Engagement:
Ask for certifications (ISO 27001, SOC 2). This is not a guarantee, but it is a sign that security is taken seriously.
Ask about data residency: Where is the data? Who has access? Are there subprocessors?
Ask about incident response: What happens if they are hacked? How quickly will they inform you?
In the Contract:
Set clear security requirements; do not sign a contract for critical suppliers without them.
Secure audit rights so you can verify things yourself when needed.
Define incident notification obligations: Within what timeframe must you be informed?
Include exit clauses for emergencies so you do not remain dependent if a supplier becomes a security risk.
Ongoing:
Review critical suppliers annually or whenever major changes occur on their side.
Set up Google Alerts for "[supplier name] security breach". Simple, free, effective.
Prioritize suppliers by risk: Who has data access, who has system access, how critical is the service?
If It Happens:
Contact the supplier immediately and document everything in writing.
Understand the scope: Which of your data and systems are affected?
Escalate internally and activate your own incident response protocol.
Inform customers and authorities if personal data is affected. GDPR gives you 72 hours.
The Most Common Mistake
The biggest mistake: checking only once and then forgetting.
A supplier that is secure today can be hacked tomorrow. Security is not a checkbox; it is an ongoing process.
One company we worked with had reviewed its cloud provider two years earlier. Everything was fine. Then the provider was hacked. The assessment from two years ago was worthless because the provider's infrastructure and team had fundamentally changed in the meantime.
The second common mistake: treating all suppliers the same. Your coffee supplier is not the same risk as your hosting provider. A simple risk matrix is enough: Who has data access? Who has system access? How critical is the service to your operations? The answers determine the priorities.
For SMEs, this does not have to be a complex program. A simple table with your top 10 suppliers, a risk rating, and a date of the last review is enough as a starting point. The key is not perfection, but consistency.
The Bottom Line
Your security is only as strong as the weakest point in your supply chain.
You can have the best firewall, the best team, the best processes. If your supplier is hacked and you are not prepared, you are compromised anyway.
The companies that take this seriously review their critical suppliers regularly, have clear contractual terms, and know what to do when it happens. This is not a complex program. It is foundational.
Want to know where you stand on supplier security? We conduct third-party risk assessments for Swiss companies, pragmatically and without fearmongering. Talk to us.
