The Blind Spot: Why Your Suppliers Are Your Biggest Risk

Trust in Third Parties is the Biggest Entry Point

In recent years, spectacular attacks like SolarWinds, Kaseya, or MOVEit have made one thing clear: the most dangerous vulnerability often lies not in your own infrastructure, but with the suppliers, service providers, and technology partners you trust daily. According to various industry analyses, between 60 and 80 percent of all successful cyber attacks on larger companies begin via a compromised third party.

The paradox: many companies have invested in their own security – firewalls, EDR solutions, penetration tests, security awareness training. But these measures end at the boundary of their own organization. What happens at a supplier remains in the dark.

Why Questionnaires and Self-Declarations Are Insufficient

The classic response to third-party risks is Vendor Risk Management (VRM) or Third-Party Risk Management (TPRM): a process where suppliers fill out questionnaires, submit certifications, and confirm in writing that they have implemented adequate security measures.

The problem: a questionnaire does not measure actual security. It measures what a supplier is willing to report about their security. Certifications like ISO 27001 or SOC 2 certify proper documentation and process design at the time of certification – but not dynamic threat resistance. By the next review, circumstances may have fundamentally changed.

From a liability perspective, this is particularly problematic: if an attack entered via a supplier whose questionnaire answers were impeccable, that is hardly a solid basis for a due diligence defense.

Technical Validation: What Is Actually Measurable

A sound assessment of a supplier's security level must be based on technical data, not self-declarations. What can actually be measured externally?

Exposed Attack Surface: Which systems, services, and ports are accessible via the internet? Which of these have known vulnerabilities? Is HTTPS implemented correctly? Are email security standards (SPF, DKIM, DMARC) observed?

Compromise Indicators: Do the supplier's IP addresses or domains appear in threat intelligence feeds? Are systems associated with known malware infrastructure? Have employee credentials of the supplier been exposed in data breaches?

Historical Security Incidents: Has the supplier concealed or communicated security incidents late in the past? Are there known CVEs in used technologies that have not been patched?

This data is available to specialized providers on a large scale and provides a technically sound picture of the actual risk level – regardless of what a supplier states in a questionnaire.

NIS2 and the Obligation for Supply Chain Security

NIS2 makes supply chain security mandatory: companies must implement and document adequate security measures for their supply chain. In a dispute, pointing to completed questionnaires is insufficient. A risk-based, technically sound supplier management with demonstrable results is expected.

Note: This article is for general information purposes and does not replace individual consulting.