Author: Jeff Weeks, Senior Vice President and Chief Information Security Officer
- Attackers are finding new ways to exploit the digital supply chain.
- Third-party software, open-source code, and AI are high-risk targets.
- Businesses face growing pressure to manage vendor and system vulnerabilities.
- Consumers must play a role in protecting their personal data.
In today’s interconnected world, no organization truly stands alone. Banks, businesses, and even individual consumers rely on a vast network of vendors, service providers, and technology partners. This ecosystem, commonly called the digital supply chain, is now one of the most attacked vectors.
The past year has shown that cybersecurity attackers no longer need to break directly into your systems. Instead, they target the “weakest link” in your extended network. A compromised vendor, software update, or cloud provider can become the backdoor into your operations and customer data.
The Evolving Threat Landscape
High-Profile Exploits in the Digital Supply Chain
- Salt Typhoon Campaign – Recent nation-state operations demonstrated how attackers can infiltrate global telecom and infrastructure providers to indirectly compromise businesses and governments.
- Third-Party Software Exploits – From code injection vulnerabilities to open-source libraries embedded in countless apps, attackers are weaponizing vulnerabilities in widely used platforms.
- AI-Enhanced Attacks – Criminals are now using artificial intelligence to map dependencies, automate phishing, and even generate polymorphic malware that adapts to bypass defenses.
Why It Matters
- For consumers: A breach at a retailer, healthcare provider, or financial vendor could expose your personal data, even if your bank is secure.
- For businesses: An overlooked vendor vulnerability in your digital supply chain can cause financial losses, reputation damage, and fines.
Key Risks in the Digital Supply Chain
- Third-Party Software Updates – Attackers exploit trusted update mechanisms, inserting malware into legitimate downloads (e.g., SolarWinds).
- Vendor Access Rights – Partners with VPNs or admin rights often have too much access, making them prime targets for attackers.
- Open-Source Dependencies – With many applications built on open-source code, a single compromised library can cascade across thousands of organizations.
- Cloud and SaaS Providers – Reliance on cloud storage, APIs, and payment processors means your data’s security is only as strong as theirs.
Best Practices for Businesses and Organizations
- Map Your Digital Supply Chain – Know who your vendors are, what systems they access, and what data they hold to improve visibility and strengthen third-party risk management.
- Conduct Vendor Digital Supply Chain Risk Assessments – Evaluate security practices against recognized standards (NIST, ISO 27001, PCI DSS, GLBA).
- Limit Vendor Access – Apply “least privilege” principles. Vendors should only access what is necessary, nothing more.
- Monitor Continuously – Threat intelligence, dark web monitoring, and automated tools can flag vendor breaches faster.
- Plan for the Worst – Build incident response playbooks that cover vendor-originated breaches.
Steps Consumers Can Take
While businesses bear the most responsibility, consumers should also protect themselves:
- Sign up for alerts and notifications from banks and service providers.
- Use multi-factor authentication on all financial and shopping accounts.
- Be skeptical of unexpected emails or texts claiming to be from a “partner company.”
- Monitor your credit reports and accounts regularly for suspicious activity.
Looking Ahead
The European Union’s Cyber Resilience Act and U.S. debates over renewing cyber information-sharing laws highlight a growing global push: digital supply chain vendors must embed security into products and services from the ground up. Forward-thinking banks and businesses are preparing for post-quantum cryptography to protect today’s data from future threats.
Digital supply chain security is not just an IT issue, it is a shared responsibility that touches everyone, from global corporations to everyday consumers. Businesses must demand more from their vendors, and individuals must stay vigilant about how their data flows through third parties.
In 2025, the lesson is clear: trust but verify. Protecting the digital supply chain protects us all.
About the Author
Jeff has been with First National Bank of Omaha for more than 26 years and is currently the Senior Vice President and Chief Information Security Officer. The executive leadership and oversight provided by Jeff in the development, management, and execution of information security for FNBO enables the company’s ability to posture and protect private, personal information, and assets of the company’s clients, employees, and business partners.
