Why supply chains are the weakest link in today’s cyber defenses

1. Pro

Why supply chains are the weakest link in today’s cyber defenses Opinion By Jon Abbott published 2 December 2025

Why we need to boost supply chain cyber resilience

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Despite years of warnings, supply-chain risk remains one of the most fragile and underestimated aspects of cybersecurity.

Many of this year’s most disruptive and high-profile cyber incidents shared one key factor; the attacker’s route into the target company was through a third-party provider.

Jon AbbottSocial Links Navigation

CEO and co-founder of ThreatAware.

A fundamental truth of cybersecurity is that you can’t control what you can’t see, and that risk multiplies when it stems from an external third-party provider, supplier or partner within your supply chain rather than inside the network.

You may like

• Mitigating supply chain vulnerabilities
• Supply chain cyberattacks are becoming unmanageable - and UK businesses are paying the price
• Third-party breaches are a wake-up call for modern cybersecurity

Yet many organizations still rely on self-assessed questionnaires and outdated compliance certificates as proof of safety.

Until organizations can verify the security of every partner in real time, they’ll continue to depend on assumptions rather than assurance and that’s a dangerous position when attackers already understand the weak points in your supply chain better than you do.

Why do supply-chain attacks keep happening?

One of the key reasons is that attackers want to make the best return on their efforts, and have learned that one of the easiest ways into a well-defended enterprise is through a partner. No thief would attempt to smash down the front door of a well-protected building if they could steal a key and slip in through the back.

There’s also the advantage of scale: one company providing IT, HR, accounting or sales services to multiple customers may have fewer resources to protect itself, that’s the natural point of attack.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Smaller suppliers, service providers and contractors often lack the budget and resources to implement the same level of protection as the larger organizations they support, yet they frequently hold privileged access to multiple environments.

It's a widespread problem that needs a concerted effort to address, but the response has so far fallen short. Most supplier checks still revolve around spreadsheets, surveys, and certificates that are self-verified and static.

Schemes like Cyber Essentials, ISO 27001 or SOC 2 offer structure, but they only confirm that good intentions were once there, and don’t tell you what’s true today.

You may like

• Mitigating supply chain vulnerabilities
• Supply chain cyberattacks are becoming unmanageable - and UK businesses are paying the price
• Third-party breaches are a wake-up call for modern cybersecurity

These schemes do have value, but they only ever offer a point-in-time snapshot. In reality, security posture changes daily. A certificate on a website tells you nothing about whether multi-factor authentication is enforced, devices are encrypted, or endpoints are patched.

When the nature of cyber risks changes so quickly, yearly audits of suppliers can’t provide the most accurate evidence of their security posture. The result is an ecosystem built on trust, where compliance often becomes more of a comfort blanket.

Meanwhile, attackers are taking advantage of the lag between each audit cycle, moving far faster than the verification processes designed to stop them.

Unless verification evolves into a continuous process, we’ll keep trusting paperwork while breaches continue to spread through the supply chain. Every vendor relationship then becomes a blind spot waiting to be exploited. If you’re not measuring the security of those connections constantly, you’re not improving them.

You can’t secure what you can’t see

Even within a single organization, most security teams still struggle to see the full picture. Across countless environments I’ve reviewed, there are always devices, accounts or applications that have slipped through the cracks.

In some cases, we find organizations discover as many as 30% more devices than they had thought existed. If we can’t maintain complete visibility inside our own walls, it’s unrealistic to think we can understand the security posture of hundreds of external partners.

So, how do organizations start closing this visibility gap?

What continuous verification looks like

Every company – whether supplier or client – should be able to demonstrate its level of proactive defense in real time. That means verification that’s continuous, data-driven and indisputable.

Imagine a certificate that automatically refreshes using live data to show your current status – one that can’t be faked, because it’s directly tied to the systems you’re running and the defenses you have in place.

Automation makes this achievable. Continuous monitoring can confirm whether controls like endpoint protection, MFA or patching are active and working. Shared dashboards between clients and suppliers could provide a transparent view of security health across the chain.

In that world, suppliers aren’t just claiming they’re secure – they’re proving it. Proof, not promises, is what will finally build resilience into the supply chain.

Changing the culture of third-party assurance

Technology alone won’t fix the supply chain problem, and a change in mindset is also needed. Too many boards are still distracted by the next big security trend, while overlooking the basics that actually reduce breaches.

Breach prevention needs to be measured, reported and prioritized just like any other business KPI. If a supplier can’t demonstrate that its defenses are in place and working, that should be treated as a performance failure, not a technical issue.

For years, cybersecurity has been treated as a compliance task — something to pass once and revisit later. That culture has to end. The future of assurance lies in continuous accountability, where every organization in the chain can prove that it’s secure.

Proving trust, not assuming it

Every organization's security is defined by the strength of its weakest link, and in many cases that will be a third-party connection. Attackers already understand that, even if many businesses don’t.

Self-attested audits and static certificates no longer reflect the reality of how fast threats evolve. The only way to build real resilience is to move from assumption to evidence — from trust to proof. Continuous, data-driven verification must become the new standard for supply-chain security.

Until we can prove, in real time, that our partners are as secure as we believe them to be, the supply chain will remain the easiest way for attackers to walk straight through the front door.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

TOPICS AI Jon AbbottSocial Links Navigation

CEO and co-founder of ThreatAware.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Mitigating supply chain vulnerabilities    Supply chain cyberattacks are becoming unmanageable - and UK businesses are paying the price    Third-party breaches are a wake-up call for modern cybersecurity    The new age of layered security: from supply chains to endpoints    I am a former Pentagon cyber operator, and this is my advice to SMBs when it comes to cybersecurity    Protecting productivity: the imperative of cybersecurity in manufacturing    Latest in Pro You can build a website for just $1 with IONOS right now - but this deal won’t be around for long    This pCloud bundle has everything you need to secure your storage for life - and it's on sale just for Cyber Monday    Glassworm returns once again with a third round of VS code attacks    107 Android flaws just got patched by Google - here's how to make sure you're up to date    4.3 million have installed this malicious browser extension on Chrome and Edge - here's how to check    The new paradigm: a concentration of data in AI demands greater vigilance    Latest in Opinion Sam Altman calls a ‘code red’ for ChatGPT – here’s what it means    Why supply chains are the weakest link in today’s cyber defenses    Why the most impactful AI strategies still start and end with people    Rebuilding trust in cyber insurance: closing the gap between assumption and evidence    Windows 10 adoption is stalling, so Microsoft must fix a major issue    The Commodore 64 is back on the production line for the first time in 30 years – and I want it, even if it makes zero sense    LATEST ARTICLES

1. 1Free open-world RPG Where Winds Meet finally hits mobile next week after a successful PC and PS5 launch
2. 2Metroid Prime 4: Beyond review: seeing is believing
3. 3Backbone is launching a limited-edition Backbone Pro controller with a new transparent design just in time for the holidays
4. 4NYT Connections hints and answers for Wednesday, December 3 (game #906)
5. 5NYT Strands hints and answers for Wednesday, December 3 (game #640)