GRC Pentesting Red Teaming

Why Supply Chain Security Can’t Wait: Ensuring Compliance and Security in Your Supply Chain

April 8, 2026

In today’s interconnected digital landscape, an organization’s cybersecurity is only as strong as the weakest link in its supply chain. Recent high-profile security incidents, as we will explore throughout this article, have revealed how vulnerabilities in third-party vendors can trigger cascading effects across entire ecosystems, regardless of how mature or well governed internal security controls may be.

Even when internal defences mature, the compromise of a supplier or service provider can directly expose your systems, data, and business operations to significant risk.

Supply chain attacks were identified as the fourth most significant threat in 2025, according to the latest EU Cybersecurity Threat Landscape Report (Figure 1) published by ENISA, and are expected to become one of the most critical emerging threats leading up to 2030. ENISA emphasizes that the increasing complexity of digital supply chains and the limited visibility organizations often have into third-party environments make this threat both urgent and difficult to manage.

That’s why it’s imperative for organizations to treat supplier and third-party risk as a core part of their cybersecurity strategy. The days of treating vendor security as an afterthought are over. Companies must assess, monitor, and manage supplier risks with the same rigour they apply internally.

In this article, we’ll examine the growing importance of supply chain security, how regulations like the NIS2 Directive are raising expectations, and how to use standards approaches such as ISO/IEC 27001, ISO/IEC 27036 can help build a more secure, compliant, and resilient supply chain.

The Growing Importance of Supply Chain Security

As organizations increasingly rely on third-party service providers, cloud platforms and external development teams, their attack surface expands far beyond their own infrastructure. Many of these entities process sensitive information, maintain privileged access or play a critical role in service delivery. While these partnerships enable efficiency and innovation, they also introduce cybersecurity risks that are often difficult to monitor or control.

Each supplier in our ecosystem has its own security posture, and not all of them meet the same standards. Common risk factors include:

Insufficient access control on shared systems;

Outdated or unpatched software used by them;

Lack of awareness and staff training;

No incident detection or response capabilities; and

No information security policies and procedures.

Since many organizations focus primarily on securing their internal systems, they may overlook the hidden risks introduced through integration points, APIs, remote access setups, and data exchanges with partners.

NIS2: What It Brings to the Table

The NIS2 Directive significantly raises the bar of how the organizations should manage and secure their supply chains. Unlike the previous directive, the recommendations become requirements and obligations. Managing our supply chain is no exception.

NIS2 requires entities to implement cybersecurity risk-management measures that explicitly consider:

Security practices of suppliers and service providers;
Potential vulnerabilities introduced by third parties;
Risks arising from dependence on external ICT services;
The impact of supply chain compromise on essential services.

This shift transforms supply chain security from a “nice to have” into a legal requirement, compelling organizations to adopt structured, continuous and evidence based vendor risk management practices.

Real World Attack: Overview

Access through a Supplier

As a cybersecurity services provider, Art Resilia has responded to multiple incidents where the initial intrusion originated not from the client itself, but from a third-party supplier with remote access privileges. Down below we will see a real case handled by our forensics team, illustrating step-by-step how a seemingly small oversight in vendor security controls enabled a full compromise of a client’s internal network.

The following attack anatomy is supported by forensic evidence collected during the investigation.

Figure 1 — High-level attack flow from the supplier compromise.

Initial Compromise of the Supplier

Figure 2 — Timeline of attacker activity after gaining VPN access.

As we can see in the evidence, a third-party provider responsible for remote support maintained VPN access to the client’s network. This machine was infected with Raccoon Stealer, a credential-harvesting malware widely traded on criminal forums.

As a result, multiple sensitive credentials stored on the browser were exfiltrated, including:

Corporate VPN credentials;
Access credentials to internal applications;
Email and cloud accounts.

These credentials were later sold on dark web marketplaces.

2. Valid Credentials Used for Unauthorized VPN Access

Using the leaked VPN credentials, a malicious actor authenticated successfully into the client environment. Due to the lack of enforcement information security policies:

No MFA was enforced on the supplier’s VPN access – the credentials belonged to a valid user;
The connection originated from a foreign IP address, yet no alerts were triggered.

This allowed the attacker to bypass perimeter defences without raising suspicion.

3. Privileged Access to an Unsegmented Internal Network

The VPN profile assigned to the supplier granted broad, non-restricted access to the internal network, violating the principle of least privilege.

Upon entry, the attacker was able to:

Enumerate internal machines;
Scan for open ports and reachable services;
Map critical systems.

Forensic logs confirmed an internal reconnaissance phase shortly after VPN connection, including lateral movement attempts.

4. Discovery and Exfiltration of Sensitive Data

Once key assets were identified, the attacker accessed file shares and internal repositories with business-critical information.
Sensitive data was exfiltrated using encrypted outbound channels to avoid detection.

No data loss prevention (DLP) or outbound traffic monitoring controls were active, allowing exfiltration to proceed unnoticed.

5. Incident Detected Only After Contact from the Attacker

The absence of monitoring, anomaly detection and supplier-related alerts meant that:

The organization had no visibility into the intrusion;
No alarms were triggered during any phase of the attack;
The incident was only recognized after the attacker reached out directly to the company.

This demonstrates a systemic failure in vendor oversight, remote access governance, and detection capabilities.

What Failed — Control Weaknesses Identified

Lack of Credential Leak Monitoring: No mechanisms existed (internally or at the supplier) to detect leaked credentials on dark web marketplaces.

Absence of MFA on Critical Access Paths: Supplier VPN access, a high-risk entry point relied solely on passwords.

Violation of the Principle of Least Privilege: VPN privileges allowed unrestricted access across the internal network.

No Active Security Monitoring or Network Telemetry: The organization lacked SIEM alerts, network anomaly detection, and endpoint security visibility on supplier-related access.

Turning Regulation Into Action and How do we Help our Clients

At Art Resilia, we strongly believe that resilience is the way. And that’s why we look at the Value Chain not as a static list of suppliers, but as a living ecosystem that must be continuously governed, monitored and protected.

In today’s threat landscape, and under regulatory frameworks such as NIS2 as we saw before, organizations can no longer rely on one-time assessments or contractual clauses alone. True resilience requires a continuous protection model that anticipates risk, enforces controls and detects issues before they become incidents.

To achieve this, we developed the Value Chain Protection Cycle (VCPC): a governance framework designed to transform regulatory requirements into practical, repeatable and measurable actions across the entire supplier relationship lifecycle.

The Value Chain Protection Cycle works as a framework that has in its core three pillars:

This pillar ensures that organizations understand where their risks are, how they propagate through the value chain and which suppliers represent the highest exposure. It provides the structure to classify suppliers, assess criticality, evaluate security controls and make informed decisions about trust and access. Risk Management defines what must be protected and why it matters.

Zero Trust

Zero Trust brings the principle of “never trust, always verify” into supplier relationships. Instead of assuming that a partner is secure, access and interactions are validated continuously and contextually. This includes enforcing strong authentication, minimizing privileges, segmenting access paths and verifying behavior throughout the lifecycle. Zero Trust sets the rules for how suppliers should interact with your environment, securely, minimally, and transparently.

Defence-in-Depth

Defence-in-Depth ensures that security is not dependent on a single control or supplier promise. Multiple, layered safeguards technical, procedural and contractual work together to reduce the impact of compromises. Monitoring, detection, encryption, contractual obligations, audits and segmentation all support this layered approach. Defence-in-Depth defines how failures are absorbed so that no single point of weakness leads to a systemic incident.

Together: A Continuous, Resilient Cycle

When combined, these three pillars turn the VCPC into a continuous protection model:

Risk Management identifies and prioritizes what matters;
Zero Trust governs how suppliers interact with systems;
Defence-in-Depth ensures resilience even when controls fail.

This creates a value chain that is not only compliant with regulations such as NIS2, but measurably more secure, more resilient and less dependent on trust alone.

Protecting the Value Chain: What It Really Means

When we talk about protecting the value chain, we must ensure two fundamental dimensions of security:

1. The security of communication

Every interaction with a supplier technical information, contractual documents, operational data or sensitive business details must be protected. This requires secure channels, encrypted exchanges and authenticated parties to ensure confidentiality and trust.

We must ensure that the communication between the secures:

Confidentiality: Information exchanged with suppliers must be protected from unauthorized access, ensuring that only legitimate parties can view or use it.
Integrity: Data must remain accurate, unchanged and tamper-proof throughout its lifecycle and transmission.
Availability: Critical information must be accessible when needed, without disruptions that could impact operations, services or contractual obligations.
Non-repudiation: Clear traceability and verifiable evidence must exist to ensure that no party can deny having sent, received or acted on a communication.

2. The reputation and reliability of each link

Understanding who a supplier is becomes just as important as understanding what they do. Their incident history, security policies, vulnerability management practices and overall maturity all contribute to their real risk profile.

When these two dimensions are evaluated through a risk management lens, organizations can prioritize actions, allocate investment proportionally, and strengthen resilience where it matters most. This transforms trust from an assumption into a data-driven decision.

Determining whether a supplier is truly reliable requires objective signals. No single indicator is sufficient, but together they help create a meaningful, actionable view of the supplier’s cybersecurity posture:

Digital footprint and public exposure: Leaks, outdated infrastructure, attack-surface indicators and disclosed vulnerabilities can reveal underlying security weaknesses.
Technical audit artefacts: Reports, certifications (such as ISO 27001), penetration test results and third-party assessments offer evidence of security practices in place.
Self-assessment questionnaires: These help understand the level of security the supplier claims to maintain and highlight discrepancies between declared and observed posture.
Incident history: Past incidents and especially how they were handled reveal the supplier’s operational maturity and transparency.

These indicators form the basis of a structured and repeatable evaluation model. While not exhaustive, they demonstrate how organizations can meaningfully measure supplier reputation and risk in real-world conditions.

From Classification to Action: A Continuous Governance Cycle

Once supplier criticality is understood, organizations must act through a structured and continuous process at the core of the Value Chain Protection Cycle (VCPC).

Security expectations are formalized through explicit clauses covering confidentiality, data protection, incident reporting, audit rights and technical controls. This creates a shared responsibility model from the outset.

Risk Management Execution

A risk-based approach ensures that requirements, controls and scrutiny levels remain proportional to the supplier’s criticality and exposure.

Implementation of Controls

Controls may be technical (e.g., MFA, segmentation), procedural (e.g., onboarding processes) or behaviour (e.g., awareness), and must directly address identified risks.

Continuous Monitoring

Supplier risk posture evolves over time. Threats change, technologies age, and suppliers may undergo organizational or security shifts. Continuous monitoring ensures that controls remain valid and effective throughout the lifecycle of the relationship.

This cycle is not static, it is a living governance mechanism. Repeated throughout the lifetime of the contract/relationship , it ensures that supplier security adapts, evolves and strengthens as new information and risks emerge.