Michael Aminzade on mitigating digital risk across every link of the supply chain
Amid companies of all sizes and purposes facing increasingly sophisticated cyberattacks the world over, prioritizing cybersecurity in-house is now a necessity. For those that rely on supply chains, however, security risks extend far beyond their own.
Between 2021 and 2023, research indicates a significant increase – approximately 431 percent – in cyberattacks targeting firms that rely on supply chains. What’s more concerning, however, is that there are no signs of these attacks slowing down.
Supply chain companies are becoming increasingly aware that they need to be even more resilient in the face of cyberattacks that could bleed through to vendors and third parties.
Why cybersecurity is a supply chain issue
Supply chain cyberattacks are increasing in volume at dramatic rates, coupled with the fact that attackers are using new and more sophisticated attack vectors to break into supply chain dependent firms. These new attack vectors are driven and powered by foundations rooted in generative AI, automation, DDoS attacks and phishing, the latter of which relies on confidence tricks along with human manipulation.
Supply chain firms and their natural dependency on other organizations as part of their business model leave them open to attacks as they inherently have numerous risks and weak points, many that will be outside of their direct control. This is why it is important that these supply chain firms understand the risks that are within their direct control and have the correct and required safeguards and controls in place to manage and reduce these risks.
Some examples of areas to focus on include software weaknesses, internal misconfigurations and lapses in access control, limited oversight of supplier and partner activities, poor employee security training, and inadequate vetting of third-party vendors and their security processes.
In many cases, companies can rely on penetration testing to tighten up their security postures. However, one of these above weaknesses requires additional planning and insight.
The weakest link: third-party and vendor risks
Regardless of how robust a company’s security posture may be, if it is reliant on or partnered with a third-party vendor or supplier that has abundant weak points, it remains at high risk.
Following continued large-scale cyberattacks affecting major corporations, supply chain businesses are, more than ever, reconsidering how they vet and partner with third parties. After all, vendors may not necessarily follow the same cybersecurity practices, which can lead hackers to intercept sensitive data and find hidden routes into systems.
Crucially, all companies in supply chains must take greater care to vet the vendors they work with. That can mean holding them to the same standards you expect of internal operations, running regular risk assessments, and embedding certain security measures into contractual agreements.
Regulatory pressure and compliance expectations
Regardless of where companies are based, there will always be compliance and regulatory standards they need to follow.
For example, companies dealing with suppliers and vendors in the EU will need to follow standards set by the General Data Protection Regulation (GDPR), which dictates how consumer data should be handled and processed, and how such measures are communicated to the public.
Failure to comply with the GDPR (and other regulations), even by partnering with a lax vendor, can lead to high fines and reputational damage. The EU has imposed fines totaling hundreds of millions of dollars upon multinational companies since the regulation debuted in 2018.
The compliance overhead to operate within the EU has also been expanded by the Digital Operational Resilience Act (DORA) which became applicable earlier this year in January 2025.
As such, regulators demand that supply chain companies adhere to stringent cybersecurity standards and transparent incident reporting, to continue operating and avoid penalties.
Tools for threat detection and digital due diligence
The tools supply chain companies use to detect cyber threats and perform due diligence vary from one to the next. However, many will use the following standards as part of a robust cybersecurity policy:
Intrusion Detection and Prevention Systems (IDS/IPS), which monitor networks for suspicious activity, protecting endpoints from malicious code and direct attacks
Third-party risk management systems, which are designed to continuously monitor third-party vendor security practices and to alert central users to potential risks and weaknesses
Threat intelligence platforms, which offer guidance on the latest security risks and on how a user company’s posture matches up against said threats
Mapping solutions, which offer companies a top-down view into supply chain interconnections, supporting a better-informed understanding of which vendors are likely to impact individual security
Embedding cybersecurity into culture
Cybersecurity isn’t just a tick-box exercise that falls at the IT department’s door. It’s an ever-evolving practice that should be embedded into company culture, shared between parties and vendors to better fortify chains as threats become more sophisticated and aggressive.
Evaluating the security consequences of adopting emerging technologies and implementing suitable measures to safeguard against emerging threats can help prevent the cybersecurity challenges associated with innovative technologies
For example, simply promoting cybersecurity awareness and offering regular training at all levels of a business – and across all wings, from procurement to partner operations – is a must.
Fostering a strong cybersecurity culture isn’t something that can be achieved overnight, but sewing in simple practices such as running risk assessments at every decision-making stage and adopting a zero-trust stance on all communications can be a useful first step in the right direction.
Securing the chain from end to end
A truly secure supply chain firm is one that looks carefully, even holistically, at how its data and operations may come under threat from all angles. That includes ensuring its own data handling practices are robust, while taking care to assess and eliminate risks posed by third parties.
Supply chain firms must also take time to minimize cybersecurity risks by fostering more security-focused cultures, and to see protective and assessment measures as integral to the smooth functioning of the broader chain.
Unfortunately, there is no outrunning cybersecurity threats at any point of a supply chain, but there are ways to minimize risk as much as possible.
Michael Aminzade
With more than 26 years of experience within cyber, information security, and compliance industries. Michael Aminzade is Vice President of Managed Compliance Services at VikingCloud. His experience covers the full spectrum, from internal information security where he has been the CISO for a large global service provider to running large global consulting teams.