Cyberattacks on companies’ supply chains are rising fast, and organisations are struggling to keep up. Sebastien Marchon, CEO of Rydoo, explores what the next phase of cybersecurity resilience looks like, highlighting the critical role of business leaders in taking greater ownership of their supplier ecosystem.
Third-party cyberattacks are unfortunately no longer a rarity. Whilst they were once a side issue that cropped up as a singular anomaly, they’ve now become one of the most common and damaging ways organisations are breached.
More than a third of all cyber incidents in 2024 involved a supplier or external partner, underscoring how attackers increasingly go after the weakest link rather than a company’s well-defended core systems. In today’s interconnected digital environment, where every department relies on a stack of external technology vendors and SaaS tools, supply chain security is now a strategic business issue, and one that demands attention far beyond the IT department.
Supply-chain breaches are accelerating at a pace that should concern every executive team. Orange Cyberdefense found that 58% of UK financial-services institutions suffered at least one third-party attack in the past year, and nearly a quarter were hit three times or more. These aren’t small organisations with immature defences, they’re some of the best-resourced firms in the world, meaning even the most sophisticated companies are vulnerable if their suppliers are not equally robust.
AI-driven fraud is raising the stakes
The threat landscape isn’t just expanding, it’s rapidly evolving. The rise of AI-driven fraud, particularly deepfakes, have added an entirely new layer of complexity for finance and operations teams. Research shows that almost half of businesses have already encountered deepfake scams, while 85% of finance leaders view them as a growing existential risk.
Not only are they harder to detect, these AI-enabled scams can be scaled much more easily than traditional attempts making them all the more damaging. And if a company’s supplier falls for one of these scams due to a lack of rigor, governance or protocol, a company could find their own information and data in the hands of a hacker.
Holding suppliers accountable
The question every business leader should be asking isn’t if supply-chain risks will reach their organisation, but whether their suppliers are prepared. This is why stronger vendor due diligence is a necessity.
Alignment is key to minimising the risk of a third-party breach. Businesses must look for clear specific green flags when selecting and reviewing suppliers. A dedicated security team or CISO-level oversight is a baseline expectation. Robust security certifications also provide further assurance that a supplier invests meaningfully in safeguarding data. Companies should demand transparency around incident-response processes, data-retention policies, access controls, and vulnerability-disclosure practices to ensure that their supplier is as committed to cybersecurity as they are.
This is also where the regulatory landscape is shifting expectations. The EU Data Act, which seeks to create fair, transparent rules around how data is accessed and used, raises the bar for both companies and their suppliers. It demands clearer governance around how data moves between organisations and how it is protected throughout its lifecycle. For businesses, this means evaluating not just whether a vendor provides a useful service, but whether they can demonstrate compliant data-handling practices, as regulatory risks now travel through the supply chain too.
In this new environment, supplier-security reviews should carry the same weight as financial audits or legal due diligence. Business leaders need to worry about more than just avoiding breaches, it’s about building resilience in the areas where external dependencies are unavoidable.
C-suite accountability is essential
It’s easy to see why these attacks are rising. Today’s companies depend on dozens, sometimes hundreds, of external vendors, from payroll systems to procurement tools and expense-management software. A weakness in any one of these providers can open the door to a company-wide breach. A compromised supplier can expose sensitive data, disrupt operations, or even halt business continuity entirely. And as we’ve seen across industries, the financial and reputational fallout from such incidents can be severe and long-lasting.
As a result, the days when cyber risk could be neatly contained within the IT team are gone. Supply-chain vulnerabilities, AI-enabled fraud and evolving data-governance requirements mean that cybersecurity is now firmly a board-level issue, one that touches finance, operations, HR, procurement and beyond.
Strengthening cybersecurity alignment, demanding transparency and building accountable partnerships across the supply chain are now essential parts of responsible business leadership. Leaders who treat supplier security as a core part of strategic governance will be far better positioned to navigate the challenges ahead.