Managing a cybersecurity program is hard, but also very meaningful, work.
Continuously managing the cybersecurity posture of your organization’s supply chain vendors can at times feel near impossible, afterall ensuring the cybersecurity of your suppliers is an order of magnitude leap in difficulty.
Yet, criminals are demonstrating that despite these difficulties, this task requires our immediate attention, given the trending success in exploiting our businesses' trusted relationships.
Now, before you go and say, “But Kory, my company only makes golf balls. How many layers of suppliers do I need to worry about?”
The answer is not necessarily all of them, but you must single out which of your suppliers’ suppliers could pose a danger. A golf ball manufacturer might be able to get the vendor supplying the machine that produces the synthetic rubber core to provide its security details, but find it more difficult to do the same for the machine’s software provider, and then for its vendors.
To help organizations climb this difficult mountain, let’s go through six frequently asked questions that will help us better understand this deeper level of supply chain attack.
So, what can one do?
1. Let’s start with something simple. What is the difference between a third-party risk and a fourth-party risk?
A third-party risk is a threat from a company you have some type of direct contract with, say a vendor, or a partner, and that party has a connection to your system. This is a traditional supply chain risk that companies manage through vendor risk assessments and contract clauses.
A fourth-party risk is one step removed. It's the risk posed by your third-party vendor's vendor. You don't have a direct relationship with that organization, so you lack visibility and control. This means any security issues they have could be passed along and impact your business.
For example, your company might use a third-party payroll service. That payroll service, in turn, may use a fourth-party cloud provider to store its data, including your employees' sensitive information. If that cloud provider suffers a breach, your company is still on the hook for the exposed data.
2. Are fourth-party attacks common?
Yes, they're becoming more common, and their impact is often amplified due to the lack of visibility. One recent report noted that 4.5% of all breaches are through fourth-parties, while 35.5% of all breaches in 2024 were third-party related, a 6.5% increase from 2023.
There is another way to look at it, too. Every fourth-party breach is another firm’s third-party breach.
While we've seen a lot of attention on third-party breaches, like the recent SalesLoft attack that impacted Salesforce and other businesses, fourth-party incidents are often harder to detect and attribute.
3. Can you point to an attack on a fourth-party supplier that impacted the primary organization?
One notable example is from 2023, when the Cl0p ransomware/extortion group exploited a zero-day vulnerability in the MOVEit file transfer platform, affecting thousands of organizations worldwide.
In this case, the chain reaction started with Wilton Reassurance, a life insurance company. It was indirectly impacted when its third-party service provider, PBI Research Services, used MOVEit to process customer data. Due to the MOVEit breach, confidential information of nearly 1.5 million consumers was compromised.
This indirect entry point allowed the attackers to move laterally through Target's network, ultimately gaining access to the point-of-sale systems and stealing the credit card information of millions of customers. This incident was a wake-up call for many organizations, highlighting the critical importance of looking beyond their immediate suppliers.
4. How far down the supply chain does a company have to worry about when considering its own security posture?
In reality, you need to be concerned about security as far down the supply chain as your critical data or operations flow. While it's impractical to vet every single vendor, you must focus on the vendors that pose the greatest risk. These are typically the ones with "special access", such as those that:
- Handle or store sensitive data (customer information, intellectual property, financial records).
- Have direct access to your internal networks or critical systems.
- Provide a service that is essential to your business operations.
These vendors' vendors should be a primary concern because a compromise at that level could have a direct and devastating impact on your organization.
5. Is it feasible to investigate that far down the supply chain for risks, and if so, how does one do so?
Investigating risks that far down the supply chain is challenging, but it's not impossible. It requires a strategic and methodical approach. Mapping your supply chain to identify your most critical third-party vendors and then determining which fourth parties they rely on most heavily. This can be accomplished by:
- Asking the right questions in your vendor due diligence questionnaires. Explicitly ask third parties to disclose their key subcontractors and their security practices.
- Requesting relevant reports, such as SOC 2 reports, from your third-party vendors. These reports often contain information about the vendors' own third-party relationships.
- Utilizing automated tools that can provide real-time visibility into your vendors' security postures and alert you to potential vulnerabilities or breaches in their supply chain.
6. How can Trustwave, A LevelBlue Company, help with vetting vendors?
Trustwave has a well-established, human-led Managed Vendor Risk Assessment solution that was named a representative vendor in the 2025 Gartner® Market Guide for Third-Party Risk Management Technology Solutions.
The solution is designed to reduce staff time spent vetting suppliers, support procurement decisions with actionable insights, and compare vendor security postures to help executives choose the most secure suppliers.
Once our fast onboarding process is completed, clients' Trustwave will:
- Conduct the initial setup in the cloud platform
- Hold workshops to ensure alignment of our delivery process and your risk management program
- Fully remote delivery of assessments, completed within the service duration timeframe.
The bottom line is that supply chain security is possible, but it does require burrowing down many layers to uncover potential security flaws. This task is not easy, so do not be shy to seek out expert help.
