Cybersecurity in the Supply Chain: The Risk Sitting in Someone Else's Server Room
Your biggest cyber risk might not be in your building. It might be sitting in a supplier's server room — and procurement owns the gate.
The risk in someone else's server room
Your biggest cyber risk might not be in your building. It might be sitting in a supplier's server room, or a contractor's laptop, or the cloud environment of a SaaS vendor that has read access to your customer data.
A breach at a vendor with access to your systems or your data becomes your breach. Your headline. Your regulatory investigation. Your customer notification obligation. And often, you find out about it after the damage is done, because the vendor's detection capability was not up to the same standard as their sales deck.
Whose problem is this really
For years, supply chain cyber risk was treated as IT's problem. And IT does have a role — in defining security standards, running technical assessments, managing access controls. But it is not only an IT problem, and the misclassification has left a significant gap.
Procurement owns the gate. The decision to onboard a new supplier, to extend a contract with a vendor who has system access, to grant a contractor access to production environments — these are procurement decisions. The security posture of the suppliers you bring into your ecosystem is a procurement responsibility, with IT as a technical partner.
The questions that matter at onboarding
The right questions are not technically complicated. What access does this supplier actually need to do the job, and is that the access they are asking for — or are they asking for more? Can they demonstrate their security posture through a recognised framework or recent independent assessment? What is their incident response capability, and how would you find out if they had a breach? What happens to your data when the relationship ends?
These questions asked at onboarding create a commercial and contractual framework for managing the risk. The same questions asked after a breach are damage assessment.
Proportionate to the risk
Not every supplier needs the same level of security scrutiny. The principle of least privilege applies at the category level too: a stationery supplier with no system access carries a different risk profile from a cloud software vendor embedded in your finance systems.
Map your vendor base against system access and data exposure. Focus your most rigorous security vetting on the suppliers where a compromise would hurt you most — and make that vetting a recurring event, not a one-time onboarding check.
Key takeaways
- Supply chain cyber risk is a procurement responsibility because procurement controls vendor access decisions.
- A vendor breach with system or data access is your breach — the commercial and reputational exposure is yours.
- Ask the access, posture, and exit questions at onboarding — the same questions asked after a breach are too late.
- Tier your security vetting by risk: focus rigour on the vendors whose compromise would hurt you most.
Frequently asked questions
What is supply chain cybersecurity risk in procurement?
Supply chain cybersecurity risk refers to the cyber exposure created by vendors, suppliers, and third parties who have access to your systems, data, or infrastructure. A security failure at a vendor with that access can become your breach — creating regulatory, financial, and reputational consequences for your organisation.
How should procurement manage cybersecurity risk in vendor selection?
Procurement should require vendors with system or data access to demonstrate their security posture through recognised frameworks (ISO 27001, SOC 2, etc.) or recent independent assessments. Contracts should specify security standards, incident notification obligations, and data handling at contract end. Security requirements should be proportionate to the access and data exposure the vendor carries.
What is the principle of least privilege in vendor access management?
Least privilege means granting vendors the minimum system access they need to perform their contracted scope — and no more. In the context of procurement, it means reviewing the access a vendor is requesting, questioning any access that exceeds their operational need, and building access restrictions and review schedules into the contract from the start.