Global Procurement Spotlight: Mexico Faces Tariff Hikes Amid USMCA Renegotiations. May 06, 2025. Read More.

Global Category Intelligence

Q2 2025

ALERT – Cyber Risks Impacting Indirect Procurement and Global Supply Chains

Categories: Information Technology; Risk Management; Suppliers & Sourcing
Published: March 18, 2025

A new report from cybersecurity firm BitSight, released on March 17, highlights significant vulnerabilities in digital supply chains, presenting pressing challenges for indirect procurement and supply chain professionals. “Under the Surface: Uncovering Cyber Risk in the Global Supply Chain” analyzed 61 million digital relationships across 500,000 organizations, highlighting the need for procurement teams to address risks in their increasingly complex and interconnected networks.

For those managing indirect procurement—such as IT services, software, and third-party vendor contracts—the findings signal a critical moment to tackle threats that could disrupt operations, increase costs, and undermine supplier reliability.

The Hidden Pillars: Single Points of Failure

The report identifies cyber risks extending beyond major tech firms to smaller, specialized providers—labeled “Hidden Pillars”—that support vital industries like healthcare, logistics, and manufacturing. These vendors, often under-scrutinized, can become single points of failure. For example, a software provider with fewer than 50 employees might underpin the operations of a Fortune 500 company, yet its security gaps could disrupt procurement platforms or logistics systems. With providers using 2.5 times more products and managing 10 times more internet-facing assets than their clients, the attack surface expands significantly, posing a concern for indirect procurement teams that rely on outsourced IT solutions.

Historical and recent breaches vividly illustrate these risks:

The 2013 Target breach, where hackers accessed 40 million payment card details via a compromised HVAC vendor’s credentials, exposed how indirect procurement choices—like facility management contracts—can open doors to broader systems.
More recently, the 2021 SolarWinds attack saw nation-state actors exploit widely used IT management software, affecting 18,000 organizations, including government agencies and private firms, through a trusted vendor.
The 2024 Snowflake and CrowdStrike incidents further underscore this vulnerability, with misconfigured cloud accounts and a faulty software update disrupting industries from finance to logistics.

These cases illustrate how weaknesses in indirect vendor relationships can ripple through supply chains.

The BitSight report also identifies risks from providers linked to entities under security restrictions, which remain embedded in digital supply chains despite regulatory efforts. These vendors, essential to tech infrastructure, raise concerns about data integrity and operational continuity—critical considerations for procurement teams managing vendor contracts. Released during a period of geopolitical uncertainty and potential trade shifts, the study suggests that indirect spend categories may face cyber disruptions alongside compliance challenges, thereby adding complexity to vendor oversight and management.

Impacts on Indirect Procurement and Supply Chain Operations

The BitSight findings present a dual challenge: managing a complex digital risk landscape while ensuring operational resilience. A breach in a third- or fourth-party vendor could disrupt procurement workflows—think cloud platforms stalling invoice processing or software outages delaying supplier updates. The Target breach demonstrated this firsthand, costing over $200 million due to a vendor lapse, while the SolarWinds incident disrupted IT operations across various sectors, forcing rapid reassessments of vendors. The 2024 breaches, including Snowflake’s data exposure and CrowdStrike’s operational halt, underscored the stakes, prompting procurement teams to scramble for alternatives.

The report’s data—showing providers’ supply chains are 2.5 times larger than their clients’—reveals hidden dependencies. A small vendor supporting a logistics platform might serve few clients but control critical operations, amplifying its impact if compromised. Exposure to high-risk vendors, such as those associated with restricted entities, introduces geopolitical complexity, potentially increasing compliance costs or necessitating supplier switches. For supply chain professionals, this elevates indirect procurement decisions—often seen as low-risk—into strategic considerations with far-reaching consequences.

Key Takeaways

Conduct Rigorous Vendor Audits: Assess cybersecurity across IT and software vendors, especially smaller players with significant roles. The Target case proves even peripheral vendors warrant scrutiny.
Implement Continuous Monitoring: Move beyond periodic reviews to real-time oversight, catching vulnerabilities like those exploited in SolarWinds or Snowflake. Tools tracking patch management or open ports can prevent disruptions.
Strengthen Contingency Plans: Build backups for critical indirect services—such as alternate providers or manual processes—as CrowdStrike’s outage demonstrated the need for quick pivots.
Navigate Geopolitical Risks: Evaluate exposure to vendors linked to restricted entities and diversify options to mitigate trade or regulatory shifts, a valuable lesson from ongoing U.S.-China tensions.

The BitSight report, paired with high-profile breaches such as those at Target, SolarWinds, Snowflake, and CrowdStrike, serves as a clear call to action. Indirect procurement and supply chain professionals must prioritize cyber risk management to safeguard resilience in a volatile, interconnected global landscape.