1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Why supply chains are the weakest link in todays cyber defenses

    From TechnologyDaily@1337:1/100 to All on Tuesday, December 02, 2025 15:30:09
    Why supply chains are the weakest link in todays cyber defenses

    Date:
    Tue, 02 Dec 2025 15:26:35 +0000

    Description:
    Supply chain security remains one of the most fragile and underestimated aspects of cyber security.

    FULL STORY ======================================================================

    Despite years of warnings, supply-chain risk remains one of the most fragile and underestimated aspects of cybersecurity .

    Many of this years most disruptive and high-profile cyber incidents shared
    one key factor; the attackers route into the target company was through a third-party provider.

    A fundamental truth of cybersecurity is that you cant control what you cant see, and that risk multiplies when it stems from an external third-party provider, supplier or partner within your supply chain rather than inside the network .

    Yet many organizations still rely on self-assessed questionnaires and
    outdated compliance certificates as proof of safety.

    Until organizations can verify the security of every partner in real time, theyll continue to depend on assumptions rather than assurance and thats a dangerous position when attackers already understand the weak points in your supply chain better than you do. Why do supply-chain attacks keep happening?

    One of the key reasons is that attackers want to make the best return on
    their efforts, and have learned that one of the easiest ways into a well-defended enterprise is through a partner. No thief would attempt to
    smash down the front door of a well-protected building if they could steal a key and slip in through the back.

    Theres also the advantage of scale: one company providing IT, HR , accounting or sales services to multiple customers may have fewer resources to protect itself, thats the natural point of attack.

    Smaller suppliers, service providers and contractors often lack the budget
    and resources to implement the same level of protection as the larger organizations they support, yet they frequently hold privileged access to multiple environments.

    It's a widespread problem that needs a concerted effort to address, but the response has so far fallen short. Most supplier checks still revolve around spreadsheets , surveys, and certificates that are self-verified and static.

    Schemes like Cyber Essentials, ISO 27001 or SOC 2 offer structure, but they only confirm that good intentions were once there, and dont tell you whats true today.

    These schemes do have value, but they only ever offer a point-in-time snapshot. In reality, security posture changes daily. A certificate on a website tells you nothing about whether multi-factor authentication is enforced, devices are encrypted, or endpoints are patched.

    When the nature of cyber risks changes so quickly, yearly audits of suppliers cant provide the most accurate evidence of their security posture. The result is an ecosystem built on trust, where compliance often becomes more of a comfort blanket.

    Meanwhile, attackers are taking advantage of the lag between each audit
    cycle, moving far faster than the verification processes designed to stop them.

    Unless verification evolves into a continuous process, well keep trusting paperwork while breaches continue to spread through the supply chain. Every vendor relationship then becomes a blind spot waiting to be exploited. If youre not measuring the security of those connections constantly, youre not improving them. You cant secure what you cant see

    Even within a single organization, most security teams still struggle to see the full picture. Across countless environments Ive reviewed, there are
    always devices, accounts or applications that have slipped through the
    cracks.

    In some cases, we find organizations discover as many as 30% more devices than they had thought existed. If we cant maintain complete visibility inside our own walls, its unrealistic to think we can understand the security
    posture of hundreds of external partners.

    So, how do organizations start closing this visibility gap? What continuous verification looks like

    Every company whether supplier or client should be able to demonstrate its level of proactive defense in real time. That means verification thats continuous, data-driven and indisputable.

    Imagine a certificate that automatically refreshes using live data to show your current status one that cant be faked, because its directly tied to the systems youre running and the defenses you have in place.

    Automation makes this achievable. Continuous monitoring can confirm whether controls like endpoint protection , MFA or patching are active and working. Shared dashboards between clients and suppliers could provide a transparent view of security health across the chain.

    In that world, suppliers arent just claiming theyre secure theyre proving
    it. Proof, not promises, is what will finally build resilience into the
    supply chain. Changing the culture of third-party assurance

    Technology alone wont fix the supply chain problem, and a change in mindset
    is also needed. Too many boards are still distracted by the next big security trend, while overlooking the basics that actually reduce breaches.

    Breach prevention needs to be measured, reported and prioritized just like
    any other business KPI. If a supplier cant demonstrate that its defenses are in place and working, that should be treated as a performance failure, not a technical issue.

    For years, cybersecurity has been treated as a compliance task something to pass once and revisit later. That culture has to end. The future of assurance lies in continuous accountability, where every organization in the chain can prove that its secure. Proving trust, not assuming it

    Every organization's security is defined by the strength of its weakest link, and in many cases that will be a third-party connection. Attackers already understand that, even if many businesses dont.

    Self-attested audits and static certificates no longer reflect the reality of how fast threats evolve. The only way to build real resilience is to move
    from assumption to evidence from trust to proof. Continuous, data -driven verification must become the new standard for supply-chain security.

    Until we can prove, in real time, that our partners are as secure as we believe them to be, the supply chain will remain the easiest way for
    attackers to walk straight through the front door.

    We've featured the best encryption software.

    This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro



    ======================================================================
    Link to news story: https://www.techradar.com/pro/why-supply-chains-are-the-weakest-link-in-todays -cyber-defenses


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)