π Welcome to Unlocked
This week we're tackling a glaring blind spot in the world of cybersecurity - digital supply chain compromise.
Your organization's security isn't solely defined by your firewalls, policies, or even your team anymore. It's actually defined by the weakest API, vendor, or plugin that's connected to your environment.
As the saying goes: "Your strength is only as good as the weakest link in your chain".
In today's digital ecosystem, everything relies on trust - and that trust is being exploited. Attackers are targeting software providers, managed service partners and other vendors to take down dozens or even thousands of downstream targets in one hit.
The SolarWinds breach and the MOVEit Transfer hack showed just how easily one compromised link can spread like wildfire across the globe. Yet, despite this, very few organizations have a clear view of who their vendors rely on - or what's lurking beneath the surface.
So let's dive in.
When organizations talk about supply chain risk, most people think about their direct vendors. But the reality is, your vendors have their own vendors, and your software dependencies are pulling in code from all over the place.
That's fourth-party risk - a problem you can inherit without even realizing it, let alone having any control over it.
The average enterprise uses over 1,200 cloud services, according to Netskope.
Gartner estimates that 60% of organizations will face a supply chain attack via a third-party relationship by 2026.
And according to Black Kite, 98% of companies have at least one third-party vendor thatβs already suffered a breach.
All of these relationships can't just be firewalled away - they need to be mapped, monitored and managed continuously - not just when you're onboarding new vendors.
The key takeaway here is: Extend your visibility beyond just your first-tier vendors. Adopt continuous monitoring and require vendors to share their own dependency chains with you
(See: NIST Special Publication 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations.)
π οΈ SBOMs: The Software Ingredient Label Weβve Needed
Just like how food labels tell you exactly what's in your meal, a Software Bill of Materials (SBOM) is a list of every component that's inside your software - including open-source libraries, frameworks and dependencies.
When done right, SBOMs allow organizations to:
Identify vulnerabilities faster when new CVEs emerge (CISA Vulnerability Catalog).
Verify integrity of third-party components before deployment.
Improve compliance with NIST Executive Order 14028 guidance.
But adoption remains slow. A Linux Foundation report found that while 78% of organizations recognize SBOMs as critical, fewer than 35% have fully implemented them.
WWhy? Because it's just too complicated, there's no standardization, and vendors are often resistant to sharing this information. Yet as attacks like Log4j and XZ Utils showed, not knowing what's in your software isn't bliss - it's basically an invitation to an attacker.
Takeaway: Ask your vendors to provide SBOMs and integrate them into your vulnerability management pipeline. Visibility is your best line of defense.
(Also read: CISAβs SBOM Guidance and NISTβs Software Supply Chain Security Practices).
π Vendor Access: The Overlooked Doorway
Even with all your internal controls in place, many breaches start with vendor credentials. A third-party IT provider, HVAC company or analytics platform often has privileged access - and attackers know it.
The 2013 Target breach started through a compromised HVAC vendor.
The Okta support breach (2023) exposed downstream enterprise customers.
The issue isn't that we don't trust our vendors - it's that we over-trust them.
Vendors need limited, temporary and auditable access. But too often, credentials just stay active long after the project ends or the scope changes.
Quick fix: Audit all external accounts every quarter. Revoke stale API keys, rotate vendor passwords and enforce MFA for every external user.
For the more advanced organizations, consider adopting zero trust for third parties - treat every external connection as untrusted until you've verified it.
(See: Everykey Echo: Zero Trust MFA).
π¦ Continuous Monitoring: Donβt Just Vet β Verify
Most vendor risk programs just stop at the initial security questionnaire. But threats don't just stand still - neither should our visibility.
Continuous monitoring platforms can flag issues like:
Domain expirations or hijacks
Breached credentials
New vulnerabilities in open-source components
Policy or compliance lapses
Tools like SecurityScorecard, UpGuard, and Panorays can help make this process automatic, giving teams a real-time view of their vendor posture.
Takeaway: Move away from static assessments and towards dynamic, risk-based monitoring. Your third-party risk surface is constantly changing - your defenses need to be too.
β οΈ Why This Matters
Every company now operates as a web of interdependencies - vendors, APIs and software with all sorts of connections that leave you vulnerable to a single point of failure. When one link goes down the whole thing can come crashing down.
The MOVEit breach alone impacted over 2,000 organizations through a single file-transfer vendor. Thatβs the new reality weβre looking at.
The harsh reality is you can't get rid of third party risk entirely. But you can make it visible, measurable, and something you can actually do something about.
For more on how MSPs can turn secure vendor management into a value-add, check out Everykeyβs guide for MSPs.
π‘οΈ How to Fortify Your Digital Supply Chain
For IT & Security Teams:
𧩠Build and maintain a vendor inventory β including fourth-party dependencies.
π¦ Require SBOMs and integrate them into vulnerability management workflows.
π Implement continuous vendor monitoring tools.
π§° Enforce least-privilege and time-bound access for all vendors.
π§Ύ Review and renew vendor risk assessments annually β or after any major vendor change.
For Business Leaders:
π€ Make supply chain risk a board-level priority.
π° Fund automated monitoring and third-party audits.
βοΈ Embed security clauses in all vendor contracts.
π§ Train teams to recognize hidden risks in SaaS procurement and integrations.
(Recommended reading: CISAβs Secure Software Development Framework (SSDF) and IBMβs Cost of a Data Breach Report 2025).
π‘ Unlocked Tip of the Week
Take a look at what kind of components the top 5 software vendors you use are relying on and what third-party libraries they have. You might be surprised at just how many you hadnβt noticed before.
(See: CISA: SBOM FAQs and Templates).
π Poll of the Week
Do you currently track your vendorsβ fourth-party dependencies?
π Author Spotlight
Meet Mike McDonald - Cybersecurity Solutions Consultant
With nearly two decades of entrepreneurial experience in the charity and nonprofit space, Mike McDonald brings a people-first approach to his role as a Cybersecurity Solutions Consultant at Everykey. Passionate about technology and innovation, Mike thrives on helping businesses transform their access management processes through practical, human-centered solutions.
A lifelong learner and natural connector, Mike loves exploring emerging technologies, building relationships, and understanding what drives others to succeed. Outside of work, Mikeβs energy carries into fitness β heβs been a personal trainer for over 17 years and was formerly a sponsored runner with New Balance and Under Armour.
β Wrapping Up
We're all part of a larger network of connections these days and that means we've got to start thinking of our enterprise like one - a bunch of interconnected pieces that have to all work together.
But putting trust in something without really checking is just waiting for trouble to strike.
By mapping out all your dependencies, getting the transparency you need and continuously monitoring who you partner with you can turn your supply chain from your biggest weak point into a real competitive advantage.
Stay vigilant. Stay connected. Stay secure.
Until next time,