Your Security Is Only as Strong as Your Weakest Supplier

Companies often focus on their own defenses, but many of their greatest risks lie outside their walls.

Leaders must ask: Do you have a business continuity and recovery plan to continue operating for each critical supplier, if that supplier is breached and out of service for days or weeks? Do you know if your cybersecurity insurance covers operational losses from a third-party breach?

Supply Chain Disruptions: When the Flow of Goods Stops

Some suppliers are so critical that their failure cascades into entire industries. These are not hypotheticals—they have already happened.

Case Study: Maersk (2017)

The NotPetya malware crippled the global shipping giant Maersk for nearly two weeks. With cargo terminals shut down and shipping operations halted, companies around the world suddenly found goods stranded at ports. Even organizations with strong internal security were paralyzed because their logistics backbone was broken.

Disruption window: approximately two weeks of materially impacted operations before normal scheduling resumed.

Case Study: Colonial Pipeline (2021)

Ransomware forced the operator of the Colonial Pipeline to shut down distribution. Within days, gas shortages spread across the East Coast, airlines rerouted flights, and trucking firms scrambled for fuel. Thousands of businesses were disrupted, not because their systems were breached, but because a single supplier failed.

Disruption window: May 7–12, 2021 full shutdown (about 5 days) with normal operations by May 15 and market normalization over the following several days.

Case Study: ArcelorMittal (2022)

Europe’s largest steelmaker, ArcelorMittal, suffered a cyberattack that disrupted production. Automakers, construction firms, and manufacturers across the continent felt the impact immediately. For companies dependent on timely steel deliveries, production schedules slipped, orders backlogged, and revenue took a hit.

Disruption window: The company did not publicly disclose a precise outage duration; reports at the time referenced operations impacted in some countries with recovery underway soon after.  The lack of disclosure is, in itself a concern.

These examples show the fragility of modern supply chains. A single compromised supplier can halt operations across entire industries.

Business Process Interruption: When Critical Tools and Data Go Dark

Not all third-party risks involve physical goods. Many organizations depend on outside providers for essential business processes and trusted data handling. When those services are compromised, companies lose the ability to function and to protect proprietary information.

Case Study: Kronos Workforce Management (2021)

The Kronos workforce management system was disabled by ransomware, taking payroll and scheduling offline for weeks. Hospitals, manufacturers, and government agencies reverted to manual systems, delaying paychecks and disrupting staffing. The fallout wasn’t a direct breach of those organizations—it was the collapse of a service they relied on.

Disruption window: Mid-December 2021 to late January 2022 (about 5–6 weeks) for core capabilities to be restored, with many customers resuming normal use by February 1, 2022.

Case Study: Sisense (2024)

A breach at business intelligence vendor Sisense exposed sensitive customer data aggregated on its platform. For companies that entrusted trade secrets and analytics to Sisense, the damage was immediate: reputational harm, legal liability, and loss of trust. Even organizations with solid defenses were left vulnerable when their vendor failed to protect shared data.

Disruption window: Primary impact was data exposure rather than sustained platform downtime. Customers were urged within 24–72 hours to rotate keys and reset credentials; widespread multi-week outages were not reported.

Case Study: LastPass (2022–2023)

Attackers stole backups of customer vault data and exposed sensitive encrypted information. Even though LastPass itself continued operating, the trust that customers placed in the vendor was severely damaged. Organizations faced significant operational risk as they scrambled to rotate credentials and secrets stored in the service.

Disruption window: Months of follow-on impact as customers reset and replaced credentials, with reputational harm persisting far longer.

These cases highlight how a third-party breach can compromise your ability to operate, serve customers, and protect proprietary information.

Strategies for Managing Vendor and Supplier Risk

If your company relies on a vendor, you share in their risk. Practical steps reduce that exposure. Vendor risk assessments must go beyond paperwork and involve meaningful due diligence before signing contracts, including tough questions about security practices and incident response. Risk must be monitored continuously rather than treated as a one-time exercise.

Contracts and service level agreements should clearly define obligations for breach notification, outline expected security controls, and set accountability. Vendors should be contractually obligated to report a breach within a reasonable, specified timeframe so your company can act quickly to mitigate the impact. A common and comprehensive vendor risk assessment survey should be completed and reviewed annually by your cybersecurity team, and contracts should include penalties for any inaccuracies in the survey as well as an understanding of liability in the event of a breach. Your own company should be able to meet at least this same standard you expect of partners.

Organizations must also identify what confidential or regulated data is shared with each vendor. The Sisense breach underscored how damaging it can be when business intelligence platforms expose aggregated sensitive information. Knowing exactly what data is entrusted to a vendor, the regulatory requirements tied to that data, and the specific risks if it is exposed allows you to plan an appropriate response before a breach occurs.

Redundancy planning is equally important, as overreliance on a single provider can turn a minor disruption into a crisis. Finally, incident response integration is critical. Continuity exercises should simulate what happens if a supplier is offline for weeks and include vendor participation if possible.

Shifting the Mindset: From “My Security” to “Our Security”

Resilience is collective. Your business continuity depends on the resilience of your partners, suppliers, and service providers. Adopting this mindset means treating vendor risk as part of your own security program, not as a separate issue.

Conclusion

Your defenses are only as strong as your weakest supplier. Whether it’s a shipping company, a pipeline operator, or a payroll vendor, a breach in their systems can bring your operations to a standstill. The lesson is clear: evaluate your critical suppliers, develop recovery plans for their potential failures, and review your insurance coverage for third-party breaches. The cost of inaction is measured not just in downtime, but in the trust of your customers and the survival of your business.