- 팔로알토 네트웍스, AI 보안 플랫폼 '프리즈마 에어즈' 출시 발표
- Legacy federal government HR systems: A billion dollar problem, says Workday survey
- Mixed messages from Klarna about plans for more AI, fewer humans
- I held Samsung's super-thin Galaxy S25 Edge, and it made my Ultra model feel outdated
- Verizon will sell you the Samsung Galaxy S25 Edge for free - how the deal works
#Infosec2025: Experts to Shine Light on Vendor Supply Chain Resilience
The vendor supply chain is complex and sprawling with organizations often working with hundreds, if not thousands, of third-party suppliers. This vast ecosystem brings inevitable cybersecurity risks into organizations.
Half of all breaches last year came through third-party vulnerabilities, according to SecurityScorecard’s 2024 Threat Intelligence Report.
Steve Cobb, CISO of SecurityScorecard, told Infosecurity, “Even more concerning, nearly every organization we looked at was linked to at least one vendor that had been breached in the past two years.”
Supply chain attacks are not limited to one industry and even those with more mature cybersecurity postures can be vulnerable. For example in 2024, Santander confirmed that customer and employee data was breached following the compromise of a third-party provider.
A study by Orange Cyberdefence found that over half (58%) of large UK financial services firms suffered at least one third-party supply chain attack in 2024.
During Infosecurity Europe 2025, cybersecurity leaders will explore how businesses can ensure they are resilient against such incidents and ensure your third parties are not posing a risk to your company.
One keynote conference session, titled “The Evolving Tactics of Supply Chain Attacks”, will cover current best practices for managing supply chain security. Moderated by Dr Emma Philpot, CEO at IASME, the expert speakers for this session include Hazel McPherson, Director, 4Fox Security; Des Massicott, CISO, RX Global; and Adam Wedgbury, Head of Enterprise Security Architecture & Innovation, Bayer.
Speaking to Infosecurity, Des Massicott, CISO, RX Global, said, “At RX Global, we’ve seen firsthand how third-party relationships can introduce significant risk – especially when there’s limited visibility into a vendor’s security posture. One of the biggest issues is that trust is often assumed rather than verified. A vendor might pass an initial assessment, but without ongoing oversight, their risk profile can change dramatically.”
Cybersecurity Strategies to Mitigate Third-Party Risks
The main strategies to mitigate third-party risks include risk assessments and monitoring, adopting comprehensive cybersecurity frameworks and educating staff on best practices when working with a third party.
Massicott said that one of the most persistent challenges is that many programs still rely heavily on point-in-time assessments like Standardized Information Gathering (SIG) questionnaires.
Cobb noted, “Checking in on vendors once a year just doesn’t cut it anymore.”
Massicot described SIG questionnaires as “useful for establishing a baseline.”
However, he noted that they don’t reflect how a vendor’s security posture evolves.
“Continuous monitoring remains a gap for many organizations, including ours, though we’re actively working to close it,” he said.
Cobb concurred, adding that companies need real-time visibility tools to monitor risk as it evolves, and a clear sense of how a breach could affect the business.
He said, “Those with always-on third party risk management (TPRM) programs are spotting and stopping threats 43% faster than those relying on periodic reviews.”
The shift toward Supply Chain Defense and Response (SCDR) is helping teams act quickly, coordinate across departments and stay ahead of threats when something does go wrong, Cobb commented.
Massicott said his team is now increasingly looking at tools like SecurityScorecard and RiskRecon to assist in moving beyond static assessments to gain more continuous insights.
Insights from Infosecurity Europe 2025
Speaking to Infosecurity about the upcoming keynote session, Massicott said he will focus on how supply chain attacks are evolving – from broad, opportunistic campaigns to more targeted, stealthy operations that exploit trust relationships.
“I’ll also be sharing how RX Global is adapting its third-party risk strategy to address these shifts. That includes embedding security earlier in the procurement lifecycle, using threat intelligence to inform vendor decisions, and building more agile response plans for when – not if – a vendor incident occurs. The goal is to move from reactive to resilient,” he said.
Register here to attend and discover the latest developments in third party risk management and the broader cybersecurity landscape.
The full program can be viewed here.
The 2025 event will celebrate the 30th anniversary of Infosecurity Europe, taking place at the London ExCel from June 3-5, 2025.
