Your Suppliers Are a Massive Cyber Risk (And You're Probably Letting Them In the Front Door)

Let’s get one thing out of the way. You can have the best security in the world. You can have MFA on everything, antivirus that costs more than your office chairs, and a team who’ve finally stopped writing passwords on sticky notes. Gold star for effort.

But none of that matters if Trevor at your outsourced payroll company is still logging into your systems using “Password123”.

Welcome to supply chain risk. It’s like inviting someone round for tea, then discovering they’ve been rooting through your fridge, your files, and your bedroom drawers while you weren’t looking. And worse, you gave them the key. Cheerfully.

Now, I get it. No one thinks their suppliers are a problem. You’ve done your due diligence. They had a website. There was a logo. Maybe even a case study. They seemed “trustworthy”. You had a good feeling. But here’s the thing — cybercriminals love your suppliers. Because while you’ve been tightening up your own defences, they’ve been quietly sneaking in through the side door marked “trusted third-party access”.

You know what’s more efficient than trying to hack into your systems directly? Finding someone you trust who already has access and compromising them instead. And let’s be honest, most businesses don’t have the faintest idea how many people have access to their stuff. Or what those people can actually do once they’re in.

Think about it. Can you name every third party that has access to your network, systems, data or client records? Can you explain what access they have? Have you ever actually asked them how they handle security? Or have you just crossed your fingers and hoped for the best?

Let me guess: you’re starting to feel slightly uneasy now.

And you should. Because this isn’t hypothetical. This happens. All the time. Every year some supplier of something you’ve barely thought about gets hacked, and suddenly hundreds or thousands of their clients are dragged into the mess. Remember SolarWinds? That wasn’t a mum-and-dad IT shop with a dodgy firewall. That was enterprise-grade software, trusted by governments and big business alike. One compromise, and boom — global carnage. MOVEit? Same again. Just a file transfer tool. Nobody thought to ask if it was patched properly, until it wasn’t, and everyone’s data was up for grabs.

But sure, trust your web developer’s nephew with access to your production server. What could go wrong?

The real problem here is that we’ve normalised blind trust in suppliers. We assume that if someone’s in business, they must know what they’re doing. We assume that they’re taking security seriously. We assume they’d tell us if something went wrong. We assume all sorts of things. But assumptions don’t stop breaches. Audits do. Contracts do. Asking awkward questions does.

The awkward truth is most businesses don’t want to rock the boat. They don’t want to ask the awkward questions because it feels impolite. It feels like you’re accusing someone. And maybe it’ll sour the relationship. But I’d argue that if asking someone whether they use two-factor authentication “feels a bit much”, they probably shouldn’t be anywhere near your systems in the first place.

Still with me? Good. Let’s carry on.

You need to get brutally honest about who has access to your environment. That includes your IT support, your HR software vendor, your payroll processor, your outsourced marketing team, and the bloke who set up your Wi-Fi five years ago and still has a login for some reason. Go find out what they can do. Figure out whether they actually need that level of access. And then ask what controls they’ve got in place to protect it.

Not in vague “oh yes we take security very seriously” terms. Proper evidence. Certifications. Logs. Screenshots. Something that shows they’re not just winging it on the back of a free antivirus trial.

And if they get defensive? If they make it awkward? If they say, “You’re the first client who’s ever asked us this”? Fantastic. Now you’ve learned something useful. Because you’re not just looking for suppliers who are secure. You’re looking for suppliers who aren’t offended when you ask them to prove it.

Then there’s the contracts. If your supplier handles data or has system access and your contract doesn’t mention security once, you’ve basically just handed them the keys and said “please try not to burn the place down”. You need proper terms. Actual security clauses. Consequences if things go wrong. And, crucially, the right to revoke access if they don’t meet your standards.

I know, I know — contracts are boring. But you know what’s worse? Having no legal leg to stand on when your supplier loses 20,000 customer records and says, “Well, you never told us not to store it all in Dropbox.”

And let’s not forget offboarding. When you stop working with someone, you need to cut access. Immediately. No “we might work together again one day”, no “just leave it for now”. Yank it. Change the passwords. Remove the accounts. Wipe the permissions. Suppliers hang around like ghosts if you let them. And ghosts don’t follow your security policies.

Look, I get that this all sounds like a bit of a faff. It is. But you know what’s more hassle? Explaining to your customers why their data got breached via an integration you forgot existed with a supplier you haven’t spoken to in three years.

Supply chain attacks aren’t going away. They’re getting slicker, smarter, and nastier. Your supplier might not be the direct target, but if they’re the easiest way into your systems, then they’ve just made you the target by proxy.

And the most painful part? These breaches are preventable. With a little due diligence. A few hard questions. A sprinkle of suspicion. And some very firm boundaries.

So stop trusting everyone. Stop assuming good intentions mean good security. Start treating supplier access like it’s a privilege, not a default setting. Because next time someone else’s breach becomes your incident, it won’t matter whose fault it was. You’ll still be the one doing the damage control.

You wouldn’t let a stranger borrow your car just because they smiled nicely. So why are you handing out access to your systems like it’s a bloody raffle?

Get it sorted.