Supply chains are growing faster than their security

Every new vendor relationship promises something valuable: faster time-to-market, access to specialist capability, cost efficiency, or the agility to scale without adding more hires. It’s no surprise BlueVoyant’s sixth annual State of Supply Chain Defense report revealed that 95% of Australian organisations plan to expand their third party ecosystems over the next 12 months. But every new vendor also brings risk and extends the cyber-attack surface. And right now, Australian organisations are adding relationships far faster than they are building the security foundations to manage them.

That growth ambition is not a problem in itself. The problem is what sits beneath it: only 30% of those same organisations have established or optimised third party risk management (TPRM) programs. The vendor roster is growing and the security foundation beneath it is not keeping pace.

A staggering 99% of Australian organisations surveyed reported negative impacts from a supply chain breach in the past year. For most, expansion is outrunning their ability to validate new vendors, continuously monitor existing ones or remediate issues before they escalate.

When process becomes a false sense of security

For most organisations, vendor expansion feels manageable as it happens. A new supplier comes on board, due diligence is completed, questionnaires are sent, contracts are signed and the relationship gets underway. On paper, the process looks rigorous, but there is a fundamental problem with this model. It captures a moment in time and then moves on, leaving organisations with a false picture of a vendor’s security. It was never designed for a threat environment that moves in real time.

As vendor ecosystems expand, so does the attack surface. More third parties mean more entry points, more dependencies and more opportunities for adversaries to find the weakest link in the chain. What worked for a vendor ecosystem of 50 will not work when scaled to 500.

Report findings also indicate an uncomfortable reality about why Australian organisations are investing in TPRM at all. Only 12% say their primary motivation is actually reducing risk. The majority are spending to satisfy cyber insurance requirements, meet contractual obligations or respond to board pressure. The investment is real, but the intent is compliance, and programs built to satisfy auditors tend to look very different from programs built to stop attackers.

When the vendor fails, everyone pays

Australia is one of the most targeted nations in the world for cyber attacks, and the entry point is increasingly a vendor, not a front door. This year Australia has already seen two significant attacks. In January, an unauthorised third party accessed data across all 1700 Victorian Government schools, exposing student records as families prepared for the new school year. Weeks later, fintech platform youX confirmed a breach affecting almost half a million Australian borrowers, people who had simply applied for a car loan and had no idea their data was sitting in an unsecured platform shared across hundreds of brokers and lenders.

Both incidents trace back to a single third-party failure cascading across entire ecosystems. With 95% of Australian organisations planning further vendor expansion and only 30% holding mature TPRM programs, the conditions that enabled these breaches are not being resolved; they are being replicated.

When collaboration isn’t enough

Australian organisations do shine when it comes to collaboration. More than half actively work with their vendors to resolve security issues directly, a higher rate than anywhere else in the world. Rather than simply flagging a problem and walking away, Australian businesses tend to stay in the room and work it through. That collaborative instinct has real value.

But relationship-led remediation only works at scale if it is underpinned by structure. When vendor ecosystems are small and well-known, direct engagement is efficient. As ecosystems grow into the hundreds or thousands of third parties, each with their own sub-contractors, platforms and configurations, visibility is lost and organisations do not know which vendors require urgent attention, which issues have been resolved and which risks are silently compounding. Collaboration without integration into enterprise risk systems will not survive the growth curve Australian organisations are on.

Internal teams need to be aligned

According to BlueVoyant’s research, the biggest barriers to TPRM maturity are not technological, they are organisational. Getting risk, legal, procurement, IT and security functions to operate as a coherent unit remains one of the hardest things to achieve, and internal resistance to change increases the problem further.

The reason this is so difficult is that third-party risk does not belong to any one team. Procurement manages the commercial relationship, legal holds the contract, IT manages the technical integration and security monitors for threats, but genuine accountability for the risk that sits across all of those functions tends to fall through the cracks between them. In practice, this means issues get identified in one part of the business and stall somewhere else, escalation is inconsistent, and by the time a vendor-related risk surfaces as a real problem, the window to address it cleanly has already closed. Expanding a vendor ecosystem without resolving that internal fragmentation first is not a security strategy; it is a compounding liability.

What meaningful progress looks like

The organisations that will handle what’s coming aren’t the ones buying and layering more software tools. They’re the ones quietly rewiring how risk actually works inside the business.

They stop treating vendor risk as a once-a-year questionnaire exercise and start building it into day-to-day decisions, procurement, product and operations. Vendor risk becomes something the business owns, not something security chases, moving from periodic snapshots to continuous visibility.

The real shift, though, is at the top. If third-party risk is framed as ‘compliance’, it gets compliance-level attention, minimal funding, fragmented ownership and a lot of box ticking. But when executives recognise that their organisation is only as resilient as the vendors it depends on, the conversation changes. It becomes about control, resilience and business continuity, not just audit outcomes.

Australia’s vendor ecosystems are going to keep growing; the business case for that expansion is real and legitimate. The question is whether security programs will grow with them, or whether organisations will find themselves, a year from now, with larger ecosystems, more complex dependencies and the same 99% breach impact rate. So the question isn’t whether your ecosystem will grow; it’s whether your security approach will grow with it. There’s a small window where this is still fixable without major disruption. For most organisations, that window is right now. *Kash Sharma is Managing Director ANZ at BlueVoyant.

Top image credit: iStock.com/Just_Super