How strong is your security if one link in your chain fails?

In December 2023, Coaxis, a French IT service provider, was hit by a ransomware attack. What followed affected 350,000 companies. Accounting firms, medical laboratories, law firms – all cut off from their systems, their data, their daily work. How quickly they were able to recover depended in part on choices they had already made in advance.

The attack on Coaxis is central to the documentary Don’t Go to the Police, in which you follow the story from the inside.

Most organizations know exactly where their own security stands. But how well do you understand the security of the organizations you depend on? Security may feel internal, but in reality it is shaped by far more than what you directly control. What begins with one vulnerable supplier rarely remains limited to that supplier.

In practice, supply chain security often remains an administrative task for many organizations. Contractual provisions, certification requirements, policy clauses. The right to audit is often included – but without guidance, tooling, or a collaborative approach, these guarantees rarely translate into real resilience. Research by ENISA shows that supply chain security is the weakest element of NIS2 preparedness, with a readiness score of just 37 percent. Meanwhile, new regulations like NIS2 require organizations not only to strengthen their own digital resilience, but also to critically assess that of their suppliers.

Those who hide behind paperwork create a false sense of security. The idea that supply chain risks can be covered by legal texts alone is persistent – but misleading. Better preparation does not start with more contracts. It starts with asking the right questions.

How do you protect your organization from supply chain risks?

Supply chain security begins with honestly answering questions that most organizations have yet to fully address. Here are the four that matter most:

1. Which suppliers impact your critical systems or processes?

Not all suppliers pose equal risk. Start with those who have access to critical systems, those who manage sensitive data, and those essential to your operational continuity. Identify which external parties affect your crown jewels – your critical data, systems, or processes – and determine the impact if they fail or are compromised.

2. If one of your key suppliers suddenly stops operating tomorrow, how long before your organization feels it?

Operational dependencies often only become visible when they disappear. The organizations that recover fastest are those that have mapped these dependencies in advance. What is our fallback option? Who makes which decisions? How long can we continue without this supplier? These questions sound simple – but most organizations don’t have the answers ready.

3. Do you have clear agreements on how a supplier reports an incident to you – and how quickly?

Notification obligations are included in many contracts. But who calls whom, when, and with what information? If this isn’t clearly defined and agreed upon, teams will improvise during a crisis – and improvisation under pressure rarely leads to good decisions. Practical agreements on reporting and escalation are the foundation of a controlled response.

4. Do you know what to do and how to respond if one of your key suppliers suffered a cyber breach and is unable to operate normally?

This is the question asked least often – yet it matters most when things go wrong.

Operationally: Do you have a fallback plan if a supplier fails or becomes unavailable? Not every organization needs a full alternative but knowing how long you can continue operating and what the first steps are the minimum.

Communication:Who informs whom – internally, customers, and regulators? Crisis communication that hasn’t been thought through in advance leads to delays, conflicting messages, and unnecessary reputational damage. Customers who understand what’s happening can take additional measures. Customers who hear nothing fill the vacuum with rumors.

Decision-making: Who has the authority to act, based on which criteria, and within what timeframe? In a crisis, there is no time left to answer this. The organizations that remain most in control are not those that improvise best, but those that have already made key decisions before the pressure builds.