The supply chain is the attack surface

Every serious cyber incident in the last few years has reinforced the same lesson: your security posture is only as strong as your weakest supplier. MOVEit, SolarWinds, Okta, and countless smaller incidents have shown that attackers increasingly target the supply chain because it works. Compromise one provider and you get access to hundreds of organisations at once.

Despite this, most organisations still treat third-party risk management as a procurement exercise. A questionnaire gets sent out during onboarding. The supplier ticks the right boxes. The contract includes a security clause. And then nobody looks at it again until something goes wrong.

Questionnaires are not assurance

The standard approach to supplier assessment - sending a spreadsheet of security questions and accepting self-reported answers - provides almost no meaningful assurance. We have reviewed supplier questionnaire responses where the vendor claimed ISO 27001 certification they did not hold, described security controls that existed in policy but not in practice, and provided answers that were clearly copied from a template without any relevance to their actual environment.

This is not necessarily malicious. Suppliers are busy, questionnaires are tedious, and the people filling them in are often not the people running security. The result is a false sense of assurance that looks good in a governance report but does not reflect real risk.

Meaningful supplier assurance requires evidence. Not policies - evidence. Configuration screenshots, access control lists, incident response records, business continuity test results. The depth should be proportionate to how critical the supplier is, but for your most important third parties, a questionnaire alone is not enough.

Concentration risk is the hidden fragility

One of the most underappreciated risks in modern enterprises is concentration. How many of your critical services depend on a single cloud provider? What happens if your managed service partner has an outage? How many of your suppliers use the same underlying platform?

We have worked with organisations that discovered during assessment that four of their five most critical suppliers all depended on the same cloud infrastructure. A single provider outage would have taken down most of their business operations simultaneously. Nobody had mapped the dependency chain far enough to see it.

DORA and PRA SS2/21 are both pushing firms to address concentration risk, but this is not just a regulatory issue. It is a business continuity issue. If you do not know where your single points of failure are, you cannot plan for them.

The MSP problem

Managed service providers deserve special attention. They typically have broad access to your environment - often more access than your own staff. They manage your endpoints, your cloud infrastructure, your identity platform, and sometimes your security tools. If they are compromised, the attacker inherits their access.

We have assessed MSP relationships where the provider had standing admin access to the client's Azure tenant, no MFA on their service accounts, and no contractual obligation to notify the client of a security incident within any defined timeframe. This is not unusual. It is the norm in many mid-market MSP relationships.

If your MSP has more access to your environment than your own security team can monitor, that is a risk that needs addressing now, not at the next contract renewal.

Where to start

Identify your critical suppliers - not all of them, just the ones whose failure would cause serious disruption. For most organisations, this is between five and fifteen providers. Then ask yourself three questions about each one: do you have evidence of their security controls beyond a self-assessment, do you know who they depend on, and do you have a plan for what happens if they fail? If the answer to any of those is no, you have work to do.