Select your country

Belgium

China

Denmark

France

Germany

Maghreb & West Africa

Netherlands

Norway

South Africa

Spain

Sweden

Switzerland

United Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. United Kingdom
  2. Insights
  3. Blog
  4. Cybersecurity
  5. How strong is your security if one link in your chain fails?
| Blog

How strong is your security if one link in your chain fails?

Cybersecurity

In December 2023, Coaxis, a French IT service provider, was hit by a ransomware attack. What followed affected 350,000 businesses. Accounting firms, medical laboratories, law firms: all cut off from their systems, their data, their daily work. How quickly they could recover depended in part on choices they had already made beforehand.

 

The attack on Coaxis is central to the documentary Don't Go to the Police, in which you follow the story from the inside.

 

Most organisations know exactly where their own security stands. But how well do you know the security of the organizations you depend on? Security feels internal, but in reality, it is shaped by much more than what you directly manage yourself. What starts with one vulnerable vendor rarely remains limited to that vendor.

In practice, supply chain security remains an administrative task for many organizations. Contractual provisions, certification requirements, policy clauses. They include the right to audit, but without guidance, tooling, or a joint approach, these guarantees rarely yield true resilience. Research by ENISA shows that supply chain security is the weakest component of NIS2 preparation, with a readiness score of only 37 percent. Yet new regulations such as NIS2 require organizations not only to get their own digital resilience in order but also to critically assess that of their suppliers.

Hiding behind written agreements creates a false sense of security. The idea that you can cover supply chain risks with legal texts is persistent but misleading. Being better prepared does not start with more contracts. It starts with asking the right questions.

How do you protect your organization against supply chain risks?

Supply chain security begins with giving honest answers to questions that most organizations have not yet clearly defined. Below are the four questions that matter most.

1. Which suppliers have an impact on your critical systems or processes?

Not all suppliers pose an equal risk. Start with parties with access to critical systems, parties that manage sensitive data, and parties that are essential for your operational continuity. Map out which external parties touch your crown jewels, such as the data, systems, or processes that are crucial to your organization, and determine the impact if they fail or are compromised.

2. If one of your most important suppliers fails tomorrow, how long does it take before your organization feels the impact?

Operational dependencies often only become visible when they disappear. The organizations that recover fastest have mapped out those dependencies in advance. What is our fallback option? Who makes which decision? How long can we function without this supplier? These questions sound simple. But most organizations do not have the answers ready.

3. Do you have clear agreements about how a supplier reports an incident to you and how quickly?

A reporting obligation is included in many contracts. But who calls whom, when, and with what information? If this is not specifically coordinated and documented, improvisation occurs during a crisis. And improvisation under pressure rarely leads to good decisions. Workable agreements regarding reporting and escalation are the basis for a controlled response.

4. Do you know what to do if something goes wrong with a supplier?

This is the question that is asked least often, but matters most when things go wrong.

Operational: Do you have a contingency plan in place if a supplier fails or is unreachable? Not every organization needs to have a full alternative ready, but knowing how long you can keep operating and what the first steps are is the minimum.

Communicative: who informs whom—internally, to customers, and to regulators? Crisis communication that is not thought through in advance leads to delays, conflicting messages, and unnecessary reputational damage. Customers who understand what is happening can take additional measures themselves. Customers who hear nothing fill the vacuum with rumors.

Decision-making: who has the authority to take action, based on which criteria, and within which timeframe? In a crisis, there is no longer time to answer that question. The organizations that remain most in control are not those that improvise best, but those that have already made their decisions before the pressure mounts.

Do you know where you stand?

Good security starts with thinking ahead. And thinking ahead about supply chain risks does not start with a large program. It starts with knowing where you stand, what dependencies you have, what risks you accept, and what questions you have not yet answered.

A security assessment is a good first step to mapping supply chain risks, not as a one-off audit, but as a starting point for better decisions regarding chain security. Which type of assessment suits your situation and level of maturity?

Which type of security assessment do you use and when?

Share

What are you already prepared for?

13 May 2026

Documentary: Don't Go to the Police

Read more

19 May 2026 | Blog

How do you prevent one wrong click from becoming decisive?

Read more

20 April 2026 | Blog

If your company is held hostage tomorrow morning, will you pay?

Read more

15 April 2026 | Blog

This is how you lay the foundation for your Incident Response Plan in four weeks.

Read more
24/7 incident hotline