Published by Sophie Richter, Consultant, Governance, Risk & Compliance
Supply chain attacks are one of the fastest growing threats in cyber security, and most organisations aren’t aware of their exposure until it’s too late. This is the primary challenge of third party risk management (TPRM): the risks organisations inherit from their suppliers, vendors and service providers are real, growing, and largely invisible without a coordinated and deliberate effort to surface them.
Attackers have discovered the power of the supply chain
In today’s interconnected business landscape, organisations rarely operate in isolation. From cloud providers to managed services, third parties can serve as a critical enabler for key business outcomes. But with this reliance comes exposure – third parties often bring their own third parties, creating an intricate web of exposure. The result is a supply chain that extends well beyond what most security teams can see, let alone manage.
The numbers tell a clear story. The 2020 SolarWinds compromise impacted roughly 18,000 organisations through a single tampered software update. In 2023, a vulnerability in MOVEit Transfer, a file transfer product, was exploited across hundreds of organisations in multiple countries. In Australia, the Latitude Financial breach in 2023 exposed data across 14 million people, originating from third party credentials.
The pattern is consistent. Attackers target vendors and service providers as a route into networks that may be otherwise well defended. With fourth and fifth party dependencies now common, this exposure continues to widen.
The gaps organisations consistently leave open
Across our work, CyberCX sees the same TPRM pitfalls appear repeatedly:
- Incomplete visibility: Organisations often don’t have a clear and current picture of the third parties that access their systems, data or infrastructure, let alone those vendors’ own third parties.
- Overreliance on questionnaires: Self-reported assessments are limited by the reliability and accuracy of third party responses, often creating a false sense of assurance.
- Resource constraints: Security teams are being asked to assess more third parties with the same or fewer resources. Without a risk-based approach, efforts are often spread too thin.
Generic assessment tools can create a false sense of security
A common pitfall in TPRM is reaching for generic assessment tools that rate third parties based on superficial data; domain reputation, certificate checks and basic questionnaire responses often fail to capture the full picture. While the results may seem efficient, the real risks posed by third parties are often overlooked, diverting attention away from what truly matters.
Meaningful risk assessment requires context: what data does the third party access? What systems do they connect to? What would a disruption or breach actually cost? The risk a third party poses can only be truly understood once you understand your own environment first.
What effective TPRM actually looks like
An effective TPRM capability isn’t just about compliance, it’s about building strong cyber resilience and ensuring partnerships enable, rather than undermine, key business objectives. Organisations best positioned to manage supply chain risks share a few characteristics:
- Shared risk language: TPRM spans procurement, legal, IT and the business. Effective programs translate risks into business impact, enabling the right people to act on them.
- Proportionate assessments: Third parties are tiered based on risk and criticality to the organisation, allowing efforts to be directed to where they matter most.
- Validation-first approach: The difference between a high level and a comprehensive assessment is evidence validation – cross-checking what third parties claim they do against what they actually do.
- Continuous monitoring: Third party risk profiles don’t remain static. Good programs include ongoing monitoring and defined triggers for reassessment.
How CyberCX can help
At CyberCX, we help organisations build TPRM capabilities that are practical, proportionate and built to last. Our approach is tailored to your specific environment, regulatory obligations and risk appetite, not a generic template. Our services span:
- Supply chain advisory providing bespoke services designed to uplift supply chain risk management capabilities.
- Process development and uplift across various artefacts, including third party cyber risk management frameworks and third party security standards.
- Third party risk assessments to support identification and management of cyber security risks within a third party’s security posture.
At CyberCX, we see TPRM as an ongoing partnership to build lasting and resilient capabilities, rather than a once-off report. Interested in learning more? Contact our experts here.
