Continuous Monitoring: Filling the Security Gaps in Supplier Risk Management

Supply chains are the glue that holds the global economy together. They’re also a significant source of cyber-related business risk. Attacks on suppliers surged by 431% between 2021 and 2024, and they’re expected to continue rising. That’s bad news for the enterprises they do business with. IBM estimates third-party vendor compromise is linked to among the highest data breach costs of any incident type: $4.9m per breach.

The challenge for risk and cyber leaders is that existing risk management mechanisms are imperfect. They can be slow, resource-intensive and full of blind spots. True supplier risk management comes from continuous oversight and control.

The unstoppable growth of supply chains

Complex, fragmented supply chains are the price we pay for global commerce. Over the past decade or more they have grown to support consumer demands for more choice and lower costs, driven by an explosion in online shopping. At the same time, digital supply chains have also undergone tremendous growth, thanks to the proliferation of software as a service (SaaS), managed service providers (MSPs) and business demands for more innovative, efficient ways of working.

The result? Opacity where there should be insight, and escalating levels of business risk that could imperil profits and hard-won customer loyalty. By one estimate, even the average SMB has 800 suppliers. When suppliers of suppliers are counted, the figures soon reach into the thousands of businesses.

A risky business

This is bad news for CISOs and their teams, who must find a way of managing the inevitable cybersecurity risks that come from extensive supply chains. Vendor and supply chain compromise accounted for 15% of data breaches last year, according to IBM. Verizon claims the figure has actually doubled over the past year to reach 30%. Whatever the actual tally, it’s clear from real-world incidents the kind of damage they can cause.

Third parties like outsourcers and professional services firms may store highly sensitive access credentials and other data belonging to their client organizations. It could be highly regulated personally identifiable information (PII) on customers and employees. Or IP, trade secrets or non-public financial data. All of which are a major draw for digital extortionists, who might steal and/or encrypt it to force payment. Third-party breaches accounted for over two-fifths (41)% of ransomware attacks in 2024, according to one study.

As suppliers proliferate, so too does the risk of corporate fraud, such as via business email compromise (BEC). Threat actors might send a phishing email to a member of the finance team, or even a senior executive, requesting payment for a non-existent invoice. They make their attacks more certain of success by hacking client/supplier email accounts, so they can monitor communications and understand what the invoices look like. BEC losses reported to the FBI reached nearly $2.8bn last year, making it the second-highest grossing cybercrime type.

Then there are suppliers of suppliers. One 2023 report claims half of the organizations studied had indirect relationships with at least 200 fourth parties that suffered breaches in the previous two years. The smaller the supplier, the fewer resources they may have to spend on best practice cybersecurity.

AI is a gift to hackers

AI technology is increasingly being harnessed by cybercriminals to improve their success rates. In fact, British government experts warned this year that the technology “will almost certainly continue to make elements of cyber intrusion operations more effective and efficient.”

We can see this in the way generative AI enables the creation of phishing campaigns in natural, flawless local languages. In the way it can help threat actors probe for system weaknesses and select their targets. And in the way it might even assist in the creation of malware and exploits. That’s why AI will lead to “an increase in frequency and intensity of cyber threats” over the next two years, the report warns.

Depending on the type and extent of the security incident, the impact for clients of a breached supplier ranges from financial and reputational damage to regulatory risk and operational disruption. The longer an incident goes undetected, the more time threat actors have inside the network and, ultimately, the more it will cost to clean up and recover from. Unfortunately, supply chain compromises take the longest to resolve, according to IBM.

A case in point is the recent disclosure of a major ransomware breach at multimillion-dollar revenue BPO supplier Conduent. Over 11 million Americans may have had their Social Security Numbers, health insurance details and medical information exposed, according to reports. And although they were only just being notified as of November 2025, the company’s environment is believed to have been compromised as far back as October 2024.

Why continuous monitoring matters

Fortunately, AI can also help the good guys overcome common challenges with supplier cyber-risk management. Too many organizations struggle with slow, manual processes and lengthy questionnaires that cause delays and create visibility blind spots. Inconsistent supplier documentation makes it difficult to compare risk scores across the ecosystem, and understand what matters most to the business.

Instead, with a data- and AI-centric approach, organizations can get automation to do the heavy lifting, both at onboarding and beyond. The latter is important because risk doesn’t stop once a supplier has been approved. It continues to evolve, potentially on an hourly or daily basis, with each new software vulnerability, data breach or misconfigured account. Suppliers might invest in new infrastructure, increasing their cyber-attack surface. They might add new suppliers of their own, changing risk exposure. And they may be targeted by novel threat actor campaigns.

All of which demands a more proactive approach to third-party risk management, which goes beyond collecting and processing supplier surveys and documentation. It should be focused on identifying risk in real time, so that the organization can take action swiftly before any damage is caused.

Getting started with AI

Achieving this kind of 360-degree, continuous insight into supplier cyber risk will require plenty of data – and intelligent algorithms to flag suspicious patterns. The more high-quality data, the better the visibility. This could include threat intelligence feeds which scour dark web forums for the early-warning signs of a breach. Or vulnerability monitoring that highlights missing security updates in supplier estates. It might also track evidence of email compromise among supplier finance departments, which may indicate incoming BEC attacks. Or even suspicious transaction patterns involving those suppliers.

The AI can be leveraged to identify critical risks in real time, in order to take immediate action. And to automatically assign a continuously updated risk score for each supplier, weighted according to client policies, posture and criticality to the business.

Agentic AI could also be a powerful ally, working autonomously to ingest and analyze complex supplier documentation like SOC 2 reports and in-house security policies, and mapping controls to established frameworks like NIST CSF or ISO 27001. This can provide compliance visibility in just minutes, rather than hours, freeing up time for security and risk teams to work on higher value tasks. In mature organizations, AI agents might also work independently to resolve and remediate routine issues – or at least to route them to the right team member for prompt attention.

Bringing it all together

The key is to ensure any such system for supplier cyber risk management is unified, so that risk data doesn’t end up siloed and unusable. Ideally, the same platform would enable other types of supplier risk management, across areas such as compliance, sustainability, finance and operations. That should provide the kind of information on which better business decisions can be made.

Above all, remember that cyber risk is fundamentally business risk. It can never be eliminated. But it can be managed more effectively.