Third-Party Breaches Driven by Vendor Risk
A new report from Black Kite identifies 'risk concentration' in key vendors as the primary driver of cascading supply chain failures. The analysis found that breaches scaled because the impact cascaded faster than disclosure. This reinforces the need for continuous third-party cyber risk monitoring in enterprise ecosystems.
The digital supply chain, not the physical one, now represents the most significant risk for retail and wholesale sectors. Over 70% of major retailers and nearly 60% of wholesalers already have compromised credentials exposed, providing threat actors with initial access. Attackers increasingly view these interconnected industries as a single target landscape, using the same tools to find the easiest entry point. This concentration of risk in shared software, IT services, and cloud platforms creates a domino effect. A single vulnerability in a widely used cloud provider or SaaS application can lead to systemic failure, as seen when a Cloudflare outage affected numerous major services like Shopify and Discord simultaneously. This technological concentration means multiple vendors in a supply chain can be impacted by the failure of a single, shared fourth-party provider they all depend on. Recent events show the tangible impact on logistics and retail operations. In May 2025, a ransomware attack on a logistics partner disrupted UK retailers Marks & Spencer and Co-op, shutting down online orders and impacting stock management. In another instance, a ransomware attack on KNP Logistics in 2023 led to the company's collapse and the loss of over 700 jobs. These attacks demonstrate how digital breaches cause physical-world disruptions. The expanding use of IoT and edge computing in logistics and retail broadens this attack surface. Each IoT device represents a potential entry point, and with billions of devices now deployed, many with minimal security, they are attractive targets. A physical hack on a distributed edge computing node, often located in less secure field environments, could be the starting point for a deep infiltration into a wider network. To counter these cascading threats, third-party risk management is shifting towards AI-powered systems. Instead of relying on static, annual questionnaires, AI enables real-time, continuous monitoring of vendor ecosystems. These systems can analyze vast amounts of data to detect subtle anomalies in a vendor's behavior, flag potential threats, and even automate initial responses, scaling security oversight far beyond human capacity.
