Many companies ask us the same question: “Why should I check my suppliers? We have a good relationship, and I depend on them.”
That’s a fair question. No one wants to come across as distrusting their partners. But if you look at the facts, one reason stands out above all: suppliers are the leading cause of successful hacks.
Hard Evidence: 40% of Hacks Start with Your Suppliers
Research institute IVBB analyzed data from 15,000 documented hacks over the past five years. Each incident was assessed for its actual root cause. Based on thorough data analysis by experienced IVBB researchers, the breakdown is as follows:
| Cause of hack | Percentage |
| 1. Suppliers and supply chains | 40.1% |
| 2. Own technology with vulnerabilities | 35.8% |
| 3. Own employees (human error) | 24.1% |
This means that four out of ten successful hacks originate via suppliers or related supply chain partners. These are organizations you work with directly or indirectly – think of IT service providers, software vendors, logistics companies, or even your marketing agency. They often have access to your systems or data, or they influence your operations in other ways.
Supplier checks: From awkward to professional
Yes, it may feel uncomfortable to ask your suppliers critical questions. But think of it not as a sign of distrust, but as a mark of professionalism. Just like you keep a fire extinguisher on-site even though you hope you never need it — the same goes for working with suppliers on security.
In fact, many suppliers actually appreciate it when their clients set serious requirements. It gives them the opportunity to demonstrate that they’ve got things in order, and it protects them, too — from damage, liability, and reputational loss.
What can you do?
Checking your suppliers doesn’t have to be difficult. With just a few clear steps, you’ll be well on your way:
- Make agreements: Clearly define cybersecurity expectations in contracts.
- Use a standard or certificate: Ask for evidence, such as a NIS2 certification or another demonstrable security measure.
- Be transparent: Explain why you’re taking these steps. Point to the numbers above if needed — 40% isn’t a detail; it’s a wake-up call.
NIS2: Obligation and opportunity
As of 2025, many companies will need to comply with the new European NIS2 legislation. A key part of this is that your company is responsible for the cybersecurity of your entire supply chain — including your suppliers.
The NIS2 Quality Mark makes this simple and concrete: suppliers can demonstrate compliance with the requirements, you can verify it, and both parties gain clarity and assurance. This way, the entire chain contributes to digital safety, without excessive time or cost.
In short: checking your suppliers is not a sign of mistrust — it’s a crucial step in protecting both yourself and your supply chain. With clear agreements and recognized standards, you can avoid becoming the next victim of an attack that could have been prevented.
