When the Cyberattack Comes Through Your Supplier
More and more security incidents start inside a supplier, not the company itself. A look at why trust is not a strategy — and what to do instead.

The Attack Didn''t Come Through Your Door. It Came Through Your Supplier''s.
Here is a story that repeats itself, month after month, in companies of every size.
A business invests seriously in its security. Firewalls, training, backups, good IT people. The doors are locked. And then one morning, something is wrong — data has leaked, systems are down, clients are calling. The investigation begins, and the answer surprises everyone: the attackers never touched the company directly. They came in through a supplier. A software vendor, a logistics partner, an IT contractor with access badges nobody remembered granting.
This is no longer a rare story. Last year, the share of security incidents involving a third party doubled. Roughly one breach in three now starts somewhere in the supply chain. And these are among the most painful incidents there are: expensive to fix, and slow — often taking the better part of a year to fully resolve, because untangling a problem that lives inside someone else''s company is much harder than fixing your own.
This is exactly the kind of blind spot that proper strategic consulting is designed to surface — before the incident, not after.
The questionnaire ritual
How do most companies protect themselves from this? With a form.
Before signing a contract, the new supplier receives a questionnaire. Do you have security measures in place? Do you protect your data? The supplier ticks the boxes — yes, yes, of course — and everyone moves on. The file is saved, the contract is signed, and the ritual is complete.
Notice what just happened: the company asked the supplier to grade themselves. Unsurprisingly, everyone passes.

Regulators are now moving in the same direction as attackers. The EU''s NIS2 directive explicitly extends cybersecurity accountability into the supply chain — a company can be held responsible for weaknesses at its critical suppliers, not just its own systems.
What actually knowing a supplier looks like
Real reassurance doesn''t come from a form. It comes from independently answering a few plain questions:
- Who owns this company — and has that changed recently?
- Is it financially healthy, or quietly struggling?
- Has it been in trouble before — incidents, lawsuits, disputes with other clients?
- Who is working behind it — subcontractors your contract never mentions?
None of this is secret. It lives in public records, company registries, court archives, the press. It just doesn''t volunteer itself. Someone has to go and look.
That''s what we do
At Comm42, we look. We combine corporate investigation with cybersecurity know-how, which means we can tell you not just whether a supplier''s systems seem solid, but whether the company behind those systems is one you want tied to yours.
Before you hand a new partner the keys, let''s make sure you know who you''re handing them to. Talk to us.