The risks of relying on third-party technology

Ed Williams at Trustwave explores the hidden fragility of the technological backbone your organisation relies on

 

For years, technology was viewed as a service layer or a utility to be consumed, often outsourced and rarely questioned. Today, it’s the lifeblood of the modern economy. However, with this criticality comes exposure. Cloud-based logistics systems and software-as-a-service (SaaS) platforms now underpin much of how modern businesses operate.

 

So do customer-facing apps used across retail, banking, healthcare and public services. Taken together, it’s clear that the technology sector has become the invisible digital backbone of most, if not all, organisations today.

 

Yet many organisations have not fully reckoned with the extent to which their operations, reputations and customer trust are now tied to third-party digital services over which many have limited visibility or control.

 

This deep, often invisible integration has driven efficiency, scale and growth, while also introducing new forms of risk. Because, as this backbone becomes more interconnected, it also becomes more brittle. Where one vertebrae is compromised, its impact ripples outward and the resulting disruption can paralyse entire industries rather than a single company alone.

 

Thus has arrived an era of Digital Dominoes. A world wherein a single breach of a technology vendor can trigger a cascade of operational failures across thousands of organisations and millions of end-users on a single supply chain.

 

As digital interdependence deepens, so too does the scale of the threat. Cyber-criminals are aiming for the weak links in the infrastructure that connects different businesses rather than targeting individual organisations to ensure maximum disruption. Whether through vulnerable code, compromised vendors, or AI-powered deception, the attack surface has expanded far beyond the traditional perimeter.

 

Understanding where exposure lies, how it’s being exploited and what real resilience looks like is now essential for any organisation that relies on technology, which is to say, is every organisation.

 

 

Technology as the enabler and risk vector

Technology providers are now entrusted with enormous volumes of sensitive data. They also maintain privileged access to corporate networks, and they power the systems that enable everything from logistics chains to national infrastructure. It is not hard to see why they have become the most attractive and strategic targets for cyber-criminals.

 

What makes this threat especially dangerous is the complexity of the modern supply chain. Technology firms themselves rely on dozens, if not hundreds, of third-party components, libraries, platforms and services. This interdependence creates a web of unseen risk with a high possibility of a single vulnerability buried deep in a vendor’s system compromising various downstream organisations.

 

That risk became all too real earlier this year when Marks & Spencer suffered a major breach, not through its own infrastructure, but via a trusted third-party vendor. Threat actors, believed to be part of the notorious Scattered Spider group, used social engineering to impersonate M&S staff and trick supplier personnel into resetting login credentials. This initial access enabled the attackers to exfiltrate domain credentials and deploy ransomware across critical systems.

 

The result was a sustained outage of online services, a £700 million drop in market value and a stark lesson in how even well-established organisations can be blindsided by the fragility of their digital supply chain. Crucially, the breach originated not by code or configuration, but by the successful manipulation and exploitation of human trust.

 

 

The cracks beneath the digital surface

The latest research by Trustwave reveals just how exposed today’s technology infrastructure really is. Millions of systems used by technology providers are still vulnerable to known security flaws, many of which are easily discoverable online.

 

Outdated software, misconfigured databases and neglected web servers are alarmingly common, particularly in sectors such as telecoms. Such oversights leave the door wide open for cyber-criminals and make it easier than ever for a single breach to escalate into a much bigger crisis.

 

In parallel, the dark web has become a booming black market for access to the very systems that keep businesses running. Hackers are trading everything from usernames and passwords to full access into the systems where developers store and build software. In one instance, access to a company’s software development tools was offered for a mere $1,400, which was more than enough to launch an attack that could compromise an entire business as well as all of its customers.

 

This convergence of poor cyber-hygiene, opaque vendor risk and systemic interdependence has created a perfect storm. But what’s accelerating the threat even further is the growing sophistication and accessibility of generative AI. Cyber-criminals are exploiting technical weaknesses as they industrialise attacks using AI to mimic humans, automate reconnaissance and scale social engineering with alarming precision.

 

As cyber-security professionals scramble to shore up legacy infrastructure and control sprawling vendor ecosystems, a new arms race is already underway

 

 

The growing role of AI in the threat landscape

Artificial intelligence is adding a new, troubling dimension to the cyber-threat landscape. Attackers are now using AI to craft highly convincing phishing campaigns, generate polymorphic malware that can evade detection and automate social engineering attacks at scale. Some are embedding malicious prompts into documents or emails, designed to manipulate large language models into leaking sensitive information.

 

There’s also rising concern about a tactic called “slopsquatting”, where attackers exploit the fact that AI tools sometimes make up the names of software packages that sound real. If developers trust the AI’s suggestion and try to install one of these fake packages, there is a possibility that they will download malicious software even from trusted sources. In some cases, the AI tools themselves are being used as bait where attackers impersonate services like Microsoft Copilot or ChatGPT to lure unsuspecting employees into phishing traps.

 

These threats are becoming faster, more scalable and harder to detect. Attackers don’t need advanced technical skills anymore, as widely available AI tools do much of the heavy lifting for them.

 

Phishing messages are now polished and credible, crafted by machines that mimic tone, grammar and context with precision. Synthetic voices and deepfake videos make it easier to impersonate executives or colleagues convincingly enough and cause major financial and reputational damage to multiple businesses.

 

As AI capabilities grow more powerful and accessible, the window for defending against these tactics is rapidly shrinking, and many organisations remain dangerously unprepared.

 

From trust to verification

 Today’s threat landscape clearly shows that the traditional posture of trust by default when it comes to digital infrastructure is no longer viable. Businesses need to adopt a strategy of verification by design. That means knowing what systems are in use, understanding who manages them and ensuring they are continuously assessed and secured.

 

Business leaders need to start seeing cyber-security as a central business issue, rather than something for the IT team to handle. That means knowing exactly which digital systems and tools the company relies on, keeping tight controls over who has access, especially remote workers and external partners and ensuring that every vendor is held to clear security standards. Checking a supplier’s cyber-security once at the beginning of the contract is not enough; this needs to be a regular, ongoing part of the partnership.

 

Equally important is the ability to respond to failure. That means having encrypted, offline backups of critical systems. It means running real-world cyber-recovery drills rather than tabletop simulations. Additionally, it involves preparing business continuity plans that account for what happens if a critical third-party system suddenly becomes unavailable.

 

Above all, business leaders must foster a culture of security. Every employee, from front-line staff to C-suite executives, needs to be trained to spot phishing threats, understand the risks of weak credentials and treat suspicious activity with the same seriousness as any physical breach.

 

 

Technology as the nervous system

Just as a single nerve injury can cause paralysis in the human body, a single breach of a core technology provider can send shockwaves through entire industries.

 

No organisation is immune. A retailer may not write code, however its point-of-sale systems, customer apps and payment gateways all rely on technology vendors. A logistics company may not run its own cloud but it depends on third-party platforms to track, ship and deliver goods. Banks, healthcare providers, manufacturers and governments are all entangled in the same web of digital dependencies.

 

Ultimately, resilience can no longer be an afterthought or delegated down the chain. It must become a board-level priority, embedded into strategy, budgets and organisational culture.

 

The organisations that will withstand the next wave of cyber-disruption won’t be the ones with the most advanced tools but those that have done the hard and necessary work of preparing, understanding their digital exposure, demanding accountability from vendors and treating cyber-security as fundamental to business continuity. In a world of digital dominoes, survival depends on knowing which ones you’re standing behind. 

 

---

 

Ed Williams is Vice President of EMEA’s Consulting and Professional Services at Trustwave

 

Main image courtesy of iStockPhoto.com and JuSun