h2g2 Episode 17: Getting the third party started

A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders

In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.

There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations.  Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.

This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.

Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation.  To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.

View all episodes.

Episode 17: Getting the third party started

“Ford!” he said, “there’s an infinite number of monkeys outside who want to talk to us about this script for Hamlet they’ve worked out.”

Douglas Adams, A Hitchhiker’s Guide to the Galaxy

[ Reading time: 8 minutes ]

In today’s interconnected digital landscape, your organisation is only as secure as its weakest vendor. While supply chain risk has long been a concern for manufacturing and logistics, it’s now a critical issue for digital services too—where code dependencies, third-party platforms, and cloud infrastructure can become entry points for threats or points of failure.

As more organisations shift operations to the cloud and rely on external software and APIs, the digital supply chain has expanded dramatically—and so has its exposure to risk.

Understanding the Supply Chain

Digital supply chain risk refers to the vulnerabilities introduced by third-party software, services, infrastructure, and vendors that your organisation relies on to build and deliver education and research. This includes:

  • Cloud service providers—e.g. AWS, Azure, Google Cloud
  • Software-as-a-Service (SaaS) platforms—e.g. Microsoft 365, HR, Finance and Student Records
  • Open-source libraries and software dependencies
  • Third-party APIs and integrations
  • Outsourced development or support teams

A failure, breach, or compromise in any of these components can ripple across your organisation, impacting availability, data integrity, security, and compliance.

Why it’s becoming a bigger threat

Digital supply chain attacks have surged in both frequency and sophistication. High-profile examples include:

  • SolarWinds (2020): Hackers compromised software updates, infiltrating government and corporate networks globally.
  • Log4Shell (2021): A vulnerability in a widely used open-source library affected thousands of systems overnight.
  • MOVEit (2023): A managed file transfer platform was exploited, resulting in significant data breaches across multiple sectors.
  • PaperCut (2023): Commonly used in the education sector for managing print jobs and network printers, an exploited vulnerability could enable attackers to alter security settings or execute arbitrary code, giving them an easy foothold into broader systems if overlooked.
  • Various remote access products (2022-2025): All the major firewall and remote access vendors used in the education sector (Cisco, Fortinet, Palo Alto, Check Point, Ivanti and Citrix) have had vulnerabilities exposed which if exploited, could allow access to attackers to run code, escalate privileges, or stop systems working.

    Remote access vulnerabilities 2025
    Courtesy of Hackmageddon

These incidents highlight a sobering reality: even if your internal systems are secure, your digital partners or dependencies might not be.

Key risk factors

  1. Lack of visibility: Organisations often don’t have full transparency into what software components or vendors are in use—especially when using nested dependencies.
  2. Third-party security posture: Many vendors don’t meet the same security standards your organisation may enforce internally.
  3. Overreliance on single providers: Concentrated dependence on one cloud or software vendor increases the “blast radius” of a single failure or breach.
  4. Inadequate update and patch management: Delays in applying patches to third-party components can expose systems for long periods.
  5. Non-compliance with regulations: Vendors may not adhere to required data protection, privacy, or industry-specific compliance standards, creating legal exposure.

Mitigating digital supply chain risk

Like all aspects of cyber security response, mitigating supply-chain risks requires a multi-layered approach that combines technology, process, and governance:

  1. Vendor Risk Management
  • Conduct due diligence and security assessments before onboarding a new software product or service.
  • Require vendors to comply with recognized standards (e.g. SOC2, ISO 27001, Cyber Essentials+, CAF).
  • Regularly reassess risk, especially when vendors update their offerings or change policies.
  1. Software Bill of Materials (SBOM)
  • Record and track every software component in use across your organisation, including dependencies and sub-dependencies.
  • Use tools to generate and monitor SBOMs continuously for vulnerability alerts.
  1. Zero Trust Architecture
  • Don’t automatically trust any internal or external system.
  • Authenticate, authorize, and monitor all interactions—especially across service boundaries.
  1. Third-Party Incident Response Planning
  • Integrate vendor-related scenarios into your business continuity and incident response plans.
  • Ensure clear communication lines with key vendors in the event of a breach or outage.
  1. Contractual Protections
  • Embed security requirements, audit rights, and breach notification clauses into vendor contracts.
  • Include SLAs that reflect the criticality of the service to your operations.

Learning from others

The US higher education sector established the HECVAT framework for third party risk assessment back in 2016.  It is now on version 4, and is nothing fancier than a spreadsheet—albeit with 331 questions across 7 categories.  These cover a vendor’s security, privacy, and resilience, including business continuity and incident response capability, and compliance with national and international regulations.  Vendors complete the assessment which can then be made available to potential customers.  Each answer contributes to a score, which provides assurance and allows the customer to compare vendors.

It’s a self-assessment, and as such is not fool-proof, but it’s a good starting point for building expectations around vendor security and transparency.  It seems clear to me that the UK education sector could benefit from having a similar framework to simplify and standardise the process for suppliers and customers alike.

The path forward

There is no doubt that there is increasing focus on supply chain risk from the UK Government and NCSC.

A number of risk and security frameworks address this.  ISO27001 requires you to have a supplier register and policy; the CIS Critical Security Controls include 7 safeguards for control 15 (Service Provider Management); and the NCSC’s Cyber Assessment Framework (CAF) covers this in principle A4 (with new provisions in the recently published version 4.0).

If your organisation is not already tackling supply chain risk, it won’t be very long before this becomes an expectation or requirement.  And increasingly, suppliers should be expecting to have requests for security guarantees.  It shouldn’t take a regulatory “stick” to persuade either party to understand this; the carrot is that it raises the security expectations on all sides.

Digital supply chain risk isn’t going away—it’s evolving. As your organisation continues to digital services using SaaS, APIs, microservices, and hybrid cloud environments, the attack surface will only grow. Proactive organisations are recognising this and investing in risk-aware architectures, better vendor governance, and more transparency in their software supply chains.

Ignoring this risk doesn’t mitigate it. Addressing it isn’t just a security measure—it’s a business imperative.

A final [deep] thought

For now, you can take useful steps forward by checking out your organisation’s procurement and supplier management policies and procedures.  Do you have a register of suppliers of digital services?  Do your software development teams maintain a “software bill of materials”?  Have you reviewed your supplier contracts for security provisions?  Do your suppliers comply with security standards such as SOC2, ISO27001, CAF or Cyber Essentials Plus?  Do your contracts include breach notification clauses with established procedures for communications?  Have you included third party supply chain risk in your incident response scenario planning?

James Bisset is a Cyber Security Specialist at Jisc.  He has over 25 years experience working in IT leadership and management in the UK education sector. He is a Certified Information Systems Security Professional, Certified Cloud Security Professional, Certified in Information Systems Risk and Control and is a member of the GIAC Advisory Board.

Leave a Reply

Your email address will not be published. Required fields are marked *