#2025 Security Summit: Experts to Illuminate Vendor Supply Chain Resilience

The vendor supply chain comprises a complex ecosystem of hundreds, if not thousands, of third-party suppliers, presenting significant cybersecurity challenges for organizations. Recent data indicates that an alarming 50% of breaches in the past year were attributable to third-party vulnerabilities. This statistic, highlighted in SecurityScorecard’s latest Threat Intelligence Report, underscores the urgent need for organizations to reassess their supply chain risk management practices.

Steve Cobb, Chief Information Security Officer (CISO) at SecurityScorecard, emphasized the gravity of the situation: “Nearly every organization we examined was connected to at least one vendor that had experienced a breach in the last two years.” Such incidents are not confined to specific sectors; even organizations with robust cybersecurity practices are susceptible. A prime example is Santander, which confirmed in 2024 that customer and employee data was compromised due to vulnerabilities in a third-party provider.

Further analysis by Orange Cyberdefence revealed that over 58% of large financial services firms in the UK faced at least one supply chain attack in 2024. In light of these developments, cybersecurity experts will gather at Infosecurity Europe 2025 to explore strategies for bolstering resilience against these types of threats and ensuring third-party partnerships do not expose organizations to risk.

Among the noteworthy sessions is a keynote titled “The Evolving Tactics of Supply Chain Attacks,” moderated by Dr. Emma Philpot, CEO of IASME. Experts—including Hazel McPherson from 4Fox Security, Des Massicott of RX Global, and Adam Wedgbury of Bayer—will discuss best practices for managing supply chain security.

Des Massicott mentioned the significant risks associated with third-party arrangements, particularly due to the often-limited visibility into vendors’ security postures. “Trust is frequently assumed rather than verified,” he stated. A vendor may pass an initial assessment, but their risk profile can change significantly without ongoing monitoring.

To mitigate third-party risks, organizations should implement rigorous risk assessments and monitoring, adopt extensive cybersecurity frameworks, and educate personnel on best practices in dealing with third-party suppliers. Massicott pointed out that many organizations still depend heavily on point-in-time assessments such as Standardized Information Gathering (SIG) questionnaires, which “establish a baseline” but fail to account for the dynamic nature of security postures.

Cobb further noted, “Annual checks on vendors are no longer sufficient.” He advocates for the use of real-time visibility tools that continuously monitor risk as it evolves, alongside a clear understanding of how breaches might impact the organization. Notably, companies that maintain continuous third-party risk management programs can identify and respond to threats 43% faster than those relying solely on periodic reviews.

The transition to Supply Chain Defense and Response (SCDR) strategies allows organizations to respond swiftly to incidents and coordinate effectively across departments. Massicott indicated that his team is increasingly leveraging tools like SecurityScorecard and RiskRecon to enhance their insights and move towards continuous assessment methodologies.

As discussions unfold at Infosecurity Europe 2025, Massicott plans to address the evolution of supply chain attacks, highlighting the shift from opportunistic to more targeted and stealthy operations that exploit trust relationships. He noted the importance of embedding security early in the procurement process, utilizing threat intelligence in vendor selection, and developing agile response plans geared towards resilience rather than reaction.

This commitment to allowing proactive measures in managing third-party risks is essential in an environment where cyber threats are continuously evolving.