Recent data shows third-party and supply chain breaches — including software supply chain attacks — now cost an average of $4.91 million per incident, and take 267 days to resolve. This isn’t surprising, considering how vendor usage has evolved over the last several years. Many businesses manage sprawling networks of suppliers, each with their own technology partners, security protocols and potential vulnerabilities. A weakness in any part of this extended armor can expose an entire organization to devastating breaches. 

But there are actionable steps organizations can take to regain visibility over their supplier ecosystems and proactively manage related cyber risk.  

Overall, supply chain and procurement professionals should implement rigorous vetting criteria for supplier partners, in order to maintain oversight of what systems and software connect to their network. 

The first step is to ensure suppliers follow established cybersecurity standards, including from the National Institute of Standards and Technology (NIST), which defines best practices for governance, data protection and incident response. Organizations can use these frameworks as a baseline and adapt them to their specific needs, avoiding the need to craft vetting standards entirely from scratch. 

Next, companies should seek out transparent partners. It’s critical to work with suppliers who vet their own technology partners that will ultimately be incorporated into the organization’s network. A supplier might have strong internal security protocols, but if one of their third-party software vendors does not, the organization inherits that risk. Request documentation showing that suppliers have conducted thorough security assessments of their partners, and maintain ongoing monitoring of those relationships.

Further, you should apply the strictest vetting to suppliers with access to the most sensitive information. Risk-based prioritization ensures security resources focus on areas where breaches would cause the most damage, rather than where the organization spends the most money. While size and spend matter, organizations should weigh how essential to operations a supplier’s systems are, and the potential legal and reputational impact if the data they hold is compromised.

Another critical element is developing the ability to leverage data to inform decision-making. Traditional supply chain risk management follows a fixed schedule, relying on annual compliance audits and periodic assessments. But at the pace cyber events are occurring, relying on this alone is no longer sufficient.  

Advanced analytics platforms can track patterns such as login frequency, access requests, data transfers and system changes, in order to spot deviations from normal baselines. For instance, a sudden spike in after-hours access or downloads from unfamiliar IP addresses might flag potential compromise. These insights allow procurement teams to identify systematic weaknesses across their supplier base and allocate resources where the risk is greatest.

Artificial intelligence (AI) complements these insights. While real-time data provides descriptive and diagnostic insights, AI introduces predictive capabilities — learning from historical and real-time patterns to forecast where the next issue may occur.  Predictive models can identify suppliers most likely to experience breaches, based on their security posture, industry sector and detected threat patterns, helping procurement teams strengthen relationships with vulnerable suppliers before risks escalate.

Finally, an important step is to integrate IT and procurement teams. Historically, procurement has been treated as the final step in supplier selection. IT teams would evaluate and select technology solutions, then hand off chosen vendors to procurement teams with instructions to finalize contracts. The result often left procurement executing agreements with suppliers that had never been vetted, while IT teams made purchasing decisions without procurement's expertise in vendor management or contract risk mitigation. 

Effective supply chain risk management requires an all-hands-on-deck approach from the initial stages of supplier selection. Procurement and IT teams must align early on regarding their technology needs, security criteria and vetting standards, before engaging vendors. 

It’s best practice for IT and procurement teams to conduct joint due diligence, in order to verify that suppliers meet established guidelines. Both procurement and IT teams should meet directly with supplier cybersecurity leaders to assess program maturity, and to review incident response capabilities. Having these touchpoints not only strengthens vetting accuracy but also builds relationships with supplier security contacts who can be critical allies during an incident.

It can be helpful to embed cybersecurity standards directly into solicitation scopes and contract language. Consider replacing vague clauses like "reasonable security measures" with language drawn from standards-based cybersecurity frameworks. Clear, enforceable terms clarify expectations, and provide suppliers with a framework to meet security requirements. 

Shared accountability between procurement and IT gives teams clearly defined roles and complete visibility into the suppliers and technologies being introduced, ensuring everyone is aligned so that, if a breach occurs, the organization can respond quickly and effectively.  

Rigorous vetting criteria, continuous monitoring through data analytics, and cross-functional collaboration of supplier selection from the outset create a defensive infrastructure that evolves alongside emerging threats. 

The decentralized purchasing environment means procurement may not control every transaction, but with visibility and accountability, procurement, IT, and supply chain professionals can identify and address risks before they become incidents.

Richard McVay is senior director of the IT/Telecom vertical at OMNIA Partners.