When Trust is Hacked
Author: Alan Day, Chairman and Founder
In recent months, several high-profile data breaches have sent ripples through the business world, damaging reputations and shaking customer trust. From M&S’s internal systems being compromised to Qantas investigating a major customer data exposure, the question being asked in boardrooms and newsrooms alike is: how did this happen?
The instinctive response often points fingers at system failures or internal cyber lapses. But a growing number of incidents—like the M&S breach, allegedly involving a third-party software provider, and the Qantas data exposure suspected to involve a misfiring API or outsourced data handler—have shone a harsh light on a different vulnerability: supplier relationships.
A Chain Is Only as Strong as Its Weakest Link
Organisations today are part of complex ecosystems, relying on dozens—sometimes hundreds—of suppliers for IT systems, software services, data storage, analytics, and more. These suppliers often hold sensitive data, have deep access into core platforms, or provide crucial customer-facing systems.
That means your security is no longer just about your firewall—it’s about theirs, too.
In the case of M&S, early reports suggest the breach involved a third-party employee benefits platform used by many large UK retailers. The supplier was compromised, and in turn, M&S customer and staff data was exposed. Qantas, meanwhile, continues to investigate an incident involving the exposure of personal details through their mobile app—a breach many cybersecurity observers believe is linked to outsourced development or back-end system vulnerabilities.
These aren’t isolated events. They’re part of a growing trend of "supply chain attacks," where hackers target smaller, less-secure suppliers as a backdoor into major brands.
So, Was This a Systems Failure or a Supplier Management Failure?
The answer: both. The technical failure may have occurred within a supplier’s systems—but the strategic failure was in how that supplier was managed.
Too often, supplier risk assessments are done once—during onboarding—and never revisited. Supplier obligations around data security may be vaguely worded or toothless. Critical suppliers may not even be recognised as such, with no joint planning or clear escalation paths in place. And when things go wrong, the relationship is too transactional to inspire urgent collaboration.
This challenge is further compounded by the lack of oversight across the extended supply chain. Many organisations have little to no visibility beyond their immediate suppliers, let alone their suppliers' suppliers, or further downstream. This opacity creates hidden vulnerabilities that undermine even the best-managed first-tier relationships.
Supplier Management: Your First Line of Defence—and Your Best Backup Plan
Good Supplier Relationship Management (SRM) isn’t just about performance reviews and price negotiations. When done well, it is your frontline defence and your crisis recovery plan. Here’s how:
1. Prevention Through Rigour
With mature SRM, suppliers are segmented by criticality and risk—not just spend. That means the suppliers who handle sensitive data, provide customer-facing technology, or touch regulated systems are subject to enhanced governance.
Regular reviews, joint risk registers, and performance metrics go beyond SLA tick-boxing. They probe where failure is most likely to occur—whether that’s outdated security protocols, patching delays, or inadequate staff training.
Better yet, organisations with robust SRM embed security obligations into contracts and into culture—making data protection a shared, visible priority.
Yet even the most rigorous SRM practices can fall short if they stop at Tier 1 suppliers. Organisations increasingly face risks buried deeper in the supply chain, where subcontractors, cloud service providers, or offshore delivery partners may operate with little visibility or scrutiny. Prevention, therefore, also requires mapping and monitoring critical fourth- and fifth-party relationships, and extending expectations of governance and security beyond the immediate supplier contract.
2. Recovery Through Relationship
When the worst happens, the strength of your supplier relationship makes all the difference.
Is your supplier on the front foot, helping you investigate the root cause, notify regulators, and reassure customers? Or are they pointing to the fine print and disappearing into the background?
Suppliers who feel part of a genuine partnership are far more likely to step up—not because the contract demands it, but because the relationship deserves it. They know you’ve invested in them, supported their development, and worked through past issues constructively. That goodwill buys speed, honesty, and action in a crisis.
But recovery becomes significantly harder when the source of failure lies deeper in the supply chain. If your Tier 1 supplier is unaware, or unwilling to disclose, which third parties were involved, root cause analysis stalls. Strong relationships must be matched by strong transparency across supplier ecosystems, with contractual rights to trace issues and demand cooperation beyond the first tier.
The Wake-Up Call Boards Can’t Ignore
As regulatory fines climb and customer trust becomes harder to earn back, this isn’t just a procurement issue. It’s a board-level, brand-defining risk. And as these recent breaches show, the weak spot is often not your system—but someone else’s, poorly managed.
If your organisation still treats supplier relationships as transactional, it’s time to change. And if you don’t know which suppliers pose the greatest risk to your data, reputation, or operations—you’re not managing risk. You’re hoping.
Truly managing supplier risk requires joined-up thinking across the business. Infosec, legal, IT, and procurement all have a role to play, but they often operate in silos. Without coordinated ownership, key risks fall through the cracks. Elevating third-party risk to a strategic priority means aligning internal functions, sharing data on supplier performance, and embedding risk thinking into every stage of the supplier lifecycle.
What Now?
-
Map your supplier risk landscape. Understand who holds your sensitive data, powers your digital channels, or plays a role in customer experience.
-
Segment and engage. Invest time in your most critical suppliers, with the same intensity you would your own teams.
-
Benchmark your SRM maturity. Most organisations think they’re good at managing suppliers—until they measure it.
Where trust is constantly tested, managing supplier relationships isn’t a back-office function. It’s a boardroom imperative.
And remember: your risk landscape doesn’t stop at your direct suppliers. Critical exposures often lie hidden in the next tier, or the one after that. Strengthening SRM maturity means going beyond visibility to resilience: building partnerships, enforcing accountability, and preparing to respond together when things go wrong.
Are your supplier relationships protecting you, or putting you at risk?
Our Advanced Supplier Relationship Management Training is designed to equip you with the tools, frameworks, and behaviours to manage suppliers as true partners, not just vendors. Learn how to build trust, drive accountability, and strengthen resilience across your entire supply chain. If you're serious about reducing risk, this is where you start.