Cyberattacks increasingly target the supply chain. Suppliers, cloud services and software components become entry points. Experts see responsibility shifting from IT operations to corporate leadership, with continuous risk assessment, zero trust and resilience as key measures.
Securing their own network is no longer sufficient for many companies. Attackers increasingly target the periphery: suppliers, service providers and software components along the digital supply chain. These so-called supply chain attacks exploit the fact that security levels within an ecosystem are unevenly distributed.
Increased interconnectivity has accelerated this development. Companies integrate cloud services, use external development processes and work with hundreds of providers. Each connection increases digital dependencies and creates potential entry points. For attackers, it is often easier to reach a larger customer via a less protected supplier.
“Dynamic threat landscapes require continuous risk assessments, including of supply chains,” says Holger Könnecke, Managing Director of Berlin-based security company MACONIA. “Good governance also means higher security.” This shifts responsibility. Supply chain security is understood less as a purely technical issue and more as a task for corporate management.
This classification is reflected in current standards and regulations. ISO 28000 describes supply chain security as part of a management system with phases of planning, implementation, evaluation and continual improvement. VdS 10100 and DIN SPEC 14027 require a clear assignment of roles and responsibilities. Security is thus to be integrated into strategic management.
Regulatory Pressure Is Increasing
Regulatory requirements are growing. The European Union’s NIS-2 Directive explicitly requires continuous risk assessment across the entire supply chain and the implementation of appropriate security measures. The German KRITIS umbrella law emphasizes the need for ongoing resilience assessments for critical dependencies. According to MACONIA, many companies have so far implemented these requirements only partially.
A structural problem lies in methodology: Many organizations still assess risks with periodic audits and static checklists, often in annual cycles. In an environment where threats evolve in real time, this approach loses effectiveness. The gap between dynamic threats and static governance processes is widening.
AI-Supported Analysis and Zero Trust
Against this background, analysis platforms that combine data from various sources are gaining importance. These include vulnerability reports, threat intelligence data, certification information, publicly available security indicators and telemetry data from networks. The analysis creates a continuously updated risk picture. Companies can thus identify when a supplier becomes a potential risk before an incident occurs.
At the same time, the security principle is changing. Zero trust architectures assume that trust is not granted by default. Every access is continuously verified, not only based on identity but also on contextual information such as location, device integrity and behavior. Access is granted only when all defined criteria are met.
Resilience Instead of Prevention Alone
Despite prevention, completely avoiding attacks is considered unrealistic. The focus is therefore shifting to resilience: the ability to limit impact and restore operations quickly. This includes supply chain incident response plans that define internal measures and external coordination processes with suppliers. Joint crisis exercises and simulation-based drills that combine technical and organizational aspects are intended to stabilize processes.
Companies that strategically embed supply chain security improve not only their resilience but also their compliance. Transparent and secure supply chains are also becoming a factor in the trust of customers, partners and supervisory authorities.

Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de
