By its very nature, the supply chain is especially vulnerable to cyber attack, says Zac Rogers, assistant professor of supply chain management at Colorado State University.

Should cybersecurity be considered essential to the supply chain? “Absolutely,” says Rogers. Approximately two-thirds of all cyber attacks now come through the supply chain, he adds. Large, data-rich companies tend to have the resources to fend them off, but they’re highly vulnerable when it comes to the huge number of subcontractors that serve them. Rogers cites the 2013 attack on Target, in which hackers got access to the retailer’s customer credit-card data through a heating and air-conditioning service. Target ended up paying out a settlement of $18.5 million.

Ten years ago, around 20% of cyber attacks came through companies’ supply chain partners; that number is now around 65%, Rogers says. Hackers are targeting entities with weaker defenses in order to get access to larger businesses.

Research has shown that attacks that come through a supply chain partner are more frequent and impactful on an organization’s operations and stock price. “Every time, it’s worse when it comes to the supply chain,” Rogers says, likening the situation to a homeowner failing to notice the fire in a neighbor’s home until it grows out of control.

From a business standpoint, a larger company is likely to pay more attention to the suppliers that account for the lion’s share of its profit. But when it comes to protecting a business against cyber attack, the opposite mindset should prevail. Each function needs to be segmented and protected with its own permissions and log-in requirements. “There’s no way to check every supplier,” says Rogers, “but if you build in security at the beginning, that’s where you can start to have some success. “