Suppliers cyber-risks: why third parties are becoming the number one vulnerability for large organisations
In a context of economic pressure and geopolitical fragmentation, cybersecurity has become a major concern. While large organisations have implemented robust protection systems, vulnerabilities often stem from their suppliers. How can companies ensure compliance across a wide network of third parties and minimise the risk of cyberattacks? What are the main challenges in preventing cyber risks posed by suppliers?
Specialising in cybersecurity, data protection and regulatory compliance, Maxime Oliva, CEO of TEKID — a VISEO Group company — shares his insights.
Cyber-risks posed by suppliers and the supply chain: why greater vigilance is essential
This risk has always existed, but digital transformation and growing dependence on technology have significantly amplified it. Digitalisation has permeated every layer of the organisation. Across all sectors, companies now face challenges similar to those encountered by technology players such as SAP or Cegid.
Between system integrators, software vendors, IT support and maintenance providers, as well as cleaning or catering services, organisations are required to manage thousands of digital suppliers. Each link in the chain represents a potential risk: a single compromised access point can expose the entire supply chain.
Can you share examples of risks or attacks you have witnessed?
Some cases have made headlines. The MOVEit file transfer software breach compromised thousands of customers. The attack on IT provider SolarWinds had repercussions reaching as far as Microsoft. Hackers aim to access the data and systems of large organisations, but to reach them, they exploit suppliers, which are often less mature in terms of cybersecurity.
Marketing agencies, for example, which are entrusted with extensive customer databases for promotional campaigns, are among the prime targets. This offers a double benefit for attackers: not only do they reach their primary target, but they also gain access to hundreds of others.
What can we expect in the coming years? Will these attacks intensify?
The outlook is not encouraging. Data has become digital gold. Hackers take advantage of a highly fragmented market, with players specialising narrowly in specific areas, making them easier to exploit. It is almost as if banks were leaving their vaults open onto the street.
In parallel, issues related to digital sovereignty — or cyber sovereignty — are becoming increasingly prominent. Governments are placing greater responsibility on companies, which represents a real game changer. Today, when a company falls victim to a cyberattack, it may file a complaint, but it is often confronted with questions regarding its compliance with legal and regulatory obligations. These topics are set to become priority investment areas for large organisations.
How can these risks be prevented?
In the field of risk management, there is nothing fundamentally new: the same principles have existed for decades. Continuous assessments are required, along with solid contractual protection. However, there is significant room for improvement — and even innovation — in the methods used.
Large organisations have implemented vendor onboarding and validation protocols to screen their suppliers. However, the questionnaires used, often in the form of checklists, do not effectively mitigate risk. A company does not need to be truly compliant to provide the “right” answers, which is why audits and verification of submitted information are essential.
Consulting firms can be extremely costly, particularly given the explosion in the number of suppliers. CAC 40 companies, for example, may deal with more than 50,000 suppliers worldwide. Faced with this reality, organisations must find a smart balance between high-quality service and automation, while being able to operate at scale. This is a major challenge.
How can this issue of scale be addressed?
Several questions arise: how can processes be automated? How can suppliers be made accountable while reducing the burden on clients? How can such complexity be managed?
Clients need simplified processes, but also clear visibility. A company like TEKID assesses the information provided by suppliers and delivers it in the form of executive summaries, with all key information consolidated on a single page. Continuous monitoring is also essential.
Data must be managed in two ways. Every data point must be governed; otherwise, it becomes a potential source of leakage. This requires segmentation (distinguishing HR, IT, finance-related data, etc.) as well as transversal solutions that provide a holistic view.
Finally, no supplier should be overlooked. Visibility must extend across the entire supplier base. Clients often focus only on their top three suppliers for budgetary reasons — but this represents an excessive level of risk.
In 2025, companies did not seem ready for certain regulatory directives. Where do they stand at the beginning of 2026?
The situation is straightforward: a large organisation must comply with the GDPR, the DORA regulation, the Military Programming Act, CNIL requirements — and this is just in France, covering only four major regulatory frameworks.
They must also comply with regulations in other European countries, as well as in China, Russia and the United States. For organisations, this is a nightmare. How can a CAC 40 group ensure the compliance of thousands of suppliers?
Another challenge lies with niche suppliers, which are often subject to the same obligations as large enterprises — obligations that many of them are simply unable to meet without support. These topics are highly complex and require real guidance. The problem must be reframed: how can suppliers be enabled to meet the requirements that protect their clients? An audit alone is not sufficient; suppliers must be supported throughout the process.
What are the consequences of regulatory differences between countries?
Continuous assessment remains a strong contractual foundation. This is why TEKID has adopted an approach based on dual expertise: our cybersecurity engineers work hand in hand with legal professionals.
Given the geopolitical context, contractual conditions must be adapted to the relevant jurisdiction and cybersecurity environment. Balancing local and global standards has become a critical issue — and this is at the core of our expertise.
In countries such as China, which has some of the most stringent regulations in the world, clients cannot rely on their usual service providers and are required to work with local vendors, often on obligations they do not fully understand. In the United States, another challenge arises from the diversity of sectoral and state-level regulations, such as CCPA or HIPAA. Addressing these issues requires a wide range of specialised expertise, which is why our approach is deliberately transversal.
Conclusion
The conclusion is clear: the more suppliers an organisation has, the larger its attack surface becomes. However, solutions do exist. By industrialising controls to make them scalable, supporting suppliers, and intelligently navigating between global and local requirements, organisations can close the gap.
At TEKID, this is a clear priority: reducing complexity in order to reduce risk.