When a supplier is compromised, you don’t just inherit their weakness – you inherit their consequences.

According to ABN Amro, 1 in 5 Dutch organizations suffered harm from cyberattacks in 2024. And often, these incidents weren’t caused by direct hacks into the company itself, but through suppliers and partners. Supply chains are only as strong as their weakest link, and in today’s interconnected economy, that link can expose thousands of organizations downstream.

At their core, supply chain attacks are a form of third-party risk. Instead of targeting you directly, attackers compromise one of your suppliers, vendors, or service providers, and use that position as a stepping stone into your environment.

A supply chain attack occurs when adversaries exploit the trust placed in third parties – software providers, managed service providers, logistics partners, or even hardware manufacturers – to gain unauthorized access or deliver malicious payloads.

Typical modes of compromise include:

• Compromised vendor devices: laptops, service tools, or remote access accounts misused to get into your systems.
• Software dependencies: malicious updates in open-source libraries.
• Leaked supplier credentials: attackers log in “through the front door” of critical environments.
• Third-party services: cloud platforms, managed providers, or outsourced IT breached upstream.
• Phishing suppliers or maintainers: tricking those who manage systems or software to gain widespread access.

Recent news shows how supply chain attacks play out in practice. In 2021, a ransomware hit on logistics provider Bakker Logistiek left Albert Heijn stores without stock. And in 2024, Russian hackers accessed sensitive police data by exploiting trusted third-party connections. In earlier this year, the “Shai-Hulud”-worm spread through more than 100 npm packages, affecting Dutch businesses that relied on them.

Supply chain and third-party risks have become a central theme in both cybersecurity strategies and regulation. At one of the Netherlands’s biggest industry events, Cybersec Netherlands, many speakers stressed that resilience across the supply chain is not optional but a requirement.

That is in part due to shifts in the regulatory landscape. The NIS2 Directive, which comes into effect between 2024 and 2026 , explicitly obliges organizations in critical sectors to demonstrate control over their suppliers and partners. Similarly, the latest edition of ISO/IEC 27001 underscores the importance of supplier relationships, with updated controls requiring structured management of third-party risks.

The core message is clear: organizations can no longer afford to simply trust that their suppliers are secure. Without monitoring and accountability, both regulators and attackers will expose the gaps

Supply chain attacks are often framed as an “enterprise problem.” Large organizations do face the most immediate risks: reputational damage, regulatory fines, and costly disruption if they fail to secure their vast ecosystems of suppliers and partners. For them, resilience in the supply chain is not just good practice – it’s a board-level obligation.

But the impact doesn’t stop at the top. SMEs are increasingly drawn into the spotlight, not because they are directly targeted at the same scale, but because their enterprise clients demand assurances. Larger organizations no longer want to carry the risk of weaker partners, which means SMEs now have to demonstrate that they too can withstand and recover from incidents. In practice, this means proving resilience in tenders, contract negotiations, and ongoing vendor assessments.

What was once a challenge mainly for multinationals has now become an expectation for smaller businesses as well: if you want to stay in the supply chain, you have to show you’re not the weakest link.

So how do you begin tackling supply chain risk without overwhelming your teams? A structured approach helps.

Signs of trouble in your supply chain

• Unexplained system anomalies or downtime traced back to a third party.
• Breaches disclosed by suppliers that may impact your data.
• Unmonitored connections from vendors into your network.
• Lack of evidence that suppliers patch vulnerabilities in a timely manner.

Actions to take

• Map your dependencies Create and maintain an inventory of suppliers, service providers, and partners that touch your critical processes or data.
• Segment and restrict access Apply the principle of least privilege to supplier connections.
• Demand transparency Ask vendors to share their security certifications, audit results, or policies.
• Monitor continuously Don’t rely on annual questionnaires. Use tools that monitor exposures and leaked credentials in real time.
• Rehearse scenarios Treat supply chain attacks like any other incident. Run tabletop exercises to test response plans.

Managing third-party risk is not a one-time exercise. Strengthening the chain requires ongoing collaboration with suppliers and a balance of trust and verification.
At Skuridat, we help organizations build that strength. Through consultancy, we work with you to identify critical dependencies, assess third-party risks, and align practices with frameworks such as ISO 27001 and NIS2. Alongside that expertise, our software platform continuously monitors for exposed assets, leaked credentials, and signs of compromise across your suppliers – delivering visibility where contracts and questionnaires fall short.