Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

Invisible risks: Why hidden supply chain dependencies could be cybersecurity’s next crisis

(McCrary Institute)

By Don Kauffman

Third-party risk is becoming the dominant attack vector in today’s cybersecurity landscape. Aleksandr Yampolskiy, CEO of SecurityScorecard, warned on the McCrary Institute’s Cyber Focus podcast that 65% of data breaches now stem from third-party compromise. And the deeper companies look into their software supply chains, the murkier things get.

What’s often overlooked is that third-party vendors also have vendors – known as fourth parties. These unseen dependencies multiply risk. A company may feel confident about its own cybersecurity posture, or even that of its direct partners, but still remain exposed through the extended digital supply chain.

“Most companies aren’t even aware of who their fourth parties are,” Yampolskiy said. While organizations may track vendors they pay directly, few understand the additional dependencies those vendors introduce – let alone the vulnerabilities that come with them. “[If you] rely on 200 software providers … and all of them are hosted in [the same] cloud region … [that presents] concentrated systemic risk,” he said.

That concentration creates real-world consequences. Yampolskiy cited the example of U.S. ports, where 80% of cranes are operated by software made in China. “You’ve got millions of lines of code,” he said. “How sure are you that there’s no backdoor created by the Chinese where at the convenient time [they] can hit a button and detonate?”

One of the first challenges in managing these risks is simply identifying which vendors – and sub-vendors – a company depends on. “I think step one to dealing with third and fourth parties [is] discovery,” Yampolskiy said. “And a lot of the time when I talk to CEOs and CSOs of big banks, they don’t even know who the third parties are. … All these departments within a big company don’t talk to each other.”

Even basic vendor inventories are often incomplete, making it difficult for security teams to measure risk, much less reduce it. And conventional compliance tools aren’t built for real-time detection. “A lot of companies do one-off assessments using paper questionnaires,” Yampolskiy said. “They check the box, put the form on a shelf, and forget about it.”

The conversation also flagged growing concerns around “shadow AI” – unauthorized employee use of generative AI tools that may compromise security. Yampolskiy said without proper vetting it’s possible to leak “sensitive information from the company – and nobody knows about it.”

His message to boards and CISOs is clear: If you don’t know who your fourth and fifth parties are, you can’t accurately map your attack surface or estimate your risk exposure. As AI accelerates and supply chains deepen, the cost of ignorance may no longer be survivable.

Watch the full episode here.

Click to listen highlighted text!