Your supplier was hacked and now you're affected as well

The Scene That's Just Unfolding

"We have implemented all best practices. Our firewall is top-notch."

That's what we heard from a customer - just before their cloud provider was hacked. And suddenly everything was irrelevant.

The problem: You only control your security up to your supplier's door. After that, you have no visibility.

And attackers exploit exactly that. They no longer attack the fortress. They knock on the back door.

SolarWinds, MOVEit, Log4j - The Lessons

SolarWinds (2020): Attackers hacked the software manufacturer and modified an update. 18,000 customers unknowingly downloaded malware. US government agencies, Fortune 500 companies - all compromised.

MOVEit (2023): A SQL injection vulnerability in transfer software. Millions of records stolen. The supplier knew about the problem - but reacted too slowly.

Log4j (2021): An open-source library embedded in billions of systems. One bug - and suddenly everyone is affected, who has this library somewhere in their stack.

The pattern is always the same: You weren't attacked. Your supplier was attacked. Or your supplier's supplier.

(By the way, this is not a theory. It happens all the time.)

Why the Problem is Growing

Every additional supplier increases your attack surface. A company with 50 suppliers doesn’t have 50 times more risk - it has exponentially more.

You are liable, not your supplier. If your cloud provider is hacked and customer data is lost - who bears the responsibility? You. GDPR, NIS2, and other frameworks make this clear.

You don't see the supply chain. You know your direct suppliers. But their suppliers? Practically nobody knows what's happening there.

Complexity is constantly growing. CRM, accounting, HR systems, security tools, APIs, plug-ins. Every touchpoint is a potential entry point.

The Six Types of Supplier Risks

1. Direct Access

Your hosting provider has root access. Your security provider sees your firewall logs. Your CRM partner has customer data.

If that supplier is compromised, the attacker immediately has access to your critical systems.

2. Software Dependencies

Your manufacturer uses open-source libraries. These in turn have their own dependencies. A bug somewhere in this chain - and you're affected without knowing it.

3. Data Sharing

Your marketing tool has customer data. Your analytics provider has usage data. What happens to this data if your supplier is hacked?

4. Service Dependency

What happens if your cloud provider fails? If your DNS provider is hacked? Suddenly your domain no longer leads to you - but to the attacker.

5. Fourth-Party Risks

Your supplier has suppliers. And they have suppliers. Log4j was exactly that - a bug in a library that your supplier used without knowing it.

6. Compliance Inheritance

You must be GDPR compliant. If your supplier stores data in the USA without adequate protection clauses - you are automatically no longer compliant.

What You Can Do

Before Commissioning:

• Ask for certifications (ISO 27001, SOC 2). It's not a guarantee, but a sign.

• Ask about data storage: Where is the data? Who has access?

• Ask about incident response: What happens if they get hacked?

In the Contract:

• Specify clear security requirements

• Secure audit rights

• Define incident notification obligations

• Emergency exit clauses

Ongoing:

• Regularly review critical suppliers

• News alerts for security incidents with your suppliers

• Annual reassessment for the top 10

If it Happens:

• Contact the supplier immediately

• Understand the scope: Which of your data is affected?

• Internally escalate

• Inform customers if necessary

The Most Common Mistake

The biggest mistake: Check once and then forget.

A supplier that is secure today can be hacked tomorrow. Security isn't a checkbox - it's an ongoing process.

A company we worked with had checked its cloud provider two years ago. Everything was fine. Then the provider was hacked. The assessment from two years ago was worthless.

What You Can Do

1. List Your Critical Suppliers - not all, just those who have data or access to your systems.

2. Prioritize by Risk - Your cloud provider is critical. Your coffee supplier is not.

3. Ask the Top 5: Do they have certifications? What does their incident response plan look like?

4. Check Your Contracts - Are there audit rights? Incident notification obligations?

5. Set Up Alerts - Google alerts for "[supplier name] security breach" is better than nothing.

Conclusion

Your security is only as strong as the weakest link in your supply chain.

You can have the best firewall. You can have the best team. But if your supplier is hacked - you are also compromised.

The companies that understand this regularly check their suppliers. They have clear contracts. They have set up alerts. They know what to do when it happens.

The others? They hope it doesn't happen.

(Spoiler: It happens. The only question is when.)

Want to know how good your supplier security really is? We conduct third-party risk assessments for Swiss companies - pragmatic and without scaremongering. Talk to us.