Procurement and cyber-security

In cyber-security, building fortress-like defences is only half the battle. No matter how robust your network and systems are, even the most sophisticated internal security measures can be rendered redundant when a single supplier becomes the weak link in your interconnected business ecosystem.

 

As recent high-profile attacks throughout the retail sector, and beyond, have shown, there’s growing pressure on organisations to reshape how they approach supply chain security. The solution? Rethinking modern vendor agreements to incorporate comprehensive cyber-security frameworks contractually. Almost every industry in 2025 relies on interconnected digital supply chains, be it retail, manufacturing, healthcare, or aviation.

 

Only by raising standards across the entire ecosystem can we reduce the likelihood of a single weak link derailing business operations and taking services offline for extended periods.

 

Visualising the impact

Third-party supply chain partners are vital components in complex business ecosystems for companies large and small. But this also exposes the end organisation to significant risk through its network of partners. Any weakness or vulnerability in one of your partners is ultimately a risk to your business operations.

 

Imagine you are a major pizza takeaway chain. As a leading business, you’ll likely have invested heavily in your own cyber-defences, ensuring that your business can withstand and effectively manage any attacks against your own networks. You’ll also have a vast array of supply chain partners that keep your kitchen stocked and ensure that you can keep serving your hungry customers. 

 

But what happens when your flour supplier suffers a damaging ransomware attack? Suddenly, your key supplier is unable to provide your business with a vital ingredient. Soon, not only will their operations grind to a halt, but your business will begin to buckle. Within mere hours, production systems will stop, inventory management will fail, and delivery schedules will collapse. Your business has to navigate empty stock shelves, reduced menus, disgruntled customers and revenue losses that could last for weeks, or even months.

 

Despite your own cyber-defences standing strong and remaining completely intact, your operations have been stopped dead in their tracks by an attack on one of your partners. Given the extensive disruption to business in an incident like this, the damage is not only financial but also reputational.

 

Why do criminals target the supply chain?

Suppliers do not only provide physical goods, as in the pizza example. Increasingly, suppliers are providing critical technology services. They can be payment processors, logistics platforms, inventory management systems and customer service platforms, and each can represent a valuable target for cyber-criminals - a single point of failure. Taking out one of these critical links breaks the entire chain. Even more worryingly, the end business will have no direct control over the recovery timeline, leaving staff and customers alike with limited information.

 

But cyber-criminals are not only targeting suppliers to cause disruption. Once inside an organisation’s systems, stealing personal information is just one of many options available to them. Attackers may also seek to encrypt data for ransom, steal intellectual property, or exfiltrate other sensitive information. We’ve seen time and again that such attacks against a third-party supplier can serve as a back door into an organisation’s systems and networks by bypassing carefully constructed perimeter defences through legitimate business connections.

 

So, the uncomfortable truth, that must be built into business operations as an everyday reality, is that your organisation’s cyber-security is only as strong as your weakest supplier. This means that, for many, a rethink and restructuring are required in how their business approaches cyber-resilience. And the most important step is ensuring that the ‘assume breach’ mentality extends beyond the remit of your own business and instead encompasses your entire supply chain.

 

Building a fit-for-purpose supply chain cyber-resilience

In a landscape of heightened risk, effective supply chain cyber-risk management requires a shift from traditional vendor management to active cyber-resilience partnerships. A key part of this shift will be evolving contractual frameworks to address cyber-security responsibilities specifically. 

 

Effective resilience is built into contracts. Security schedules should codify a clear baseline, for example, the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and the International Organization for Standardization/International Electrotechnical Commission 27001 ISO/IEC 27001 (International Organization for Standardization/International Electrotechnical Commission 27001), and translate that baseline into specific, testable obligations.

 

Typical requirements include encryption in transit and at rest, defined access controls and logging, documented incident response procedures, and breach notification within 24/72 hours. Business continuity and disaster recovery expectations (including Recovery Time Objective and Recovery Point Objective) should be stated and evidenced through regular testing. Critically, obligations must flow down to subcontractors so equivalent standards apply across fourth parties, preventing risk from being displaced elsewhere in the chain. Evidence‑based assurance is essential: suppliers should provide attestations, test results, remediation plans and named points of contact on an agreed cadence aligned to service criticality.

 

Enforcement mechanisms should make these obligations meaningful. Contracts increasingly include rights to audit, requirements for independent assessments, financial remedies for security failures, and clear suspension or termination rights in cases of material non‑compliance. 

 

Organisations must balance robustness with practicality by applying proportionate, risk‑tiered requirements that protect essential services without undermining cost efficiency, innovation capacity or supplier diversity. Framed this way, contractual terms become operational controls, moving supply chain security from reactive firefighting to a proactive, partnership model with shared accountability and continuous assurance across the value chain.

 

Supply chain cyber-resilience is a strategic discipline, not a tick-box. The priority now is clear: embed enforceable security standards in contracts, flow them down to subcontractors, and back them with evidence, testing and consequences. Apply proportionate, risk‑tiered controls to protect what matters most while sustaining innovation and supplier diversity. Assume breach, rehearse the joint response, and measure performance continuously.  Do this well, and a single compromise will be contained rather than catastrophic. This protects operations, customers, and reputation across an ecosystem where cyber-security is a shared responsibility

 

---

 

Richard Meeus is Director of Security Technology and Strategy EMEA at Akamai

 

Main image courtesy of iStockPhoto.com and onurdongel