Phishing trends: Are your suppliers an unexpected security risk?
To cybercriminals, your vendors can be an attractive backdoor into your organization—and unfortunately, it's happening more often than you might think. A seemingly trustworthy partner can unknowingly pave the way for phishing attacks, data breaches, or full-scale supply chain compromises in your company. With the rollout of the NIS2 directive, this threat is more pressing than ever: organizations now need to demonstrate not only their own cybersecurity maturity, but also that of their vendors.
Vendors: A growing weak link
With AI, phishing campaigns have become more sophisticated and harder to detect. While employees were the main target for years, attackers are now shifting their focus to third-party vendors. A compromised vendor account can provide the same level of access to sensitive data, critical systems—or even your entire supply chain. Some common attack types include:
- Business Email Compromise (BEC): An attacker gains access to a vendor’s email account and sends legitimate-looking invoices or payment requests.
- Third-party phishing: Cybercriminals impersonate a trusted partner to steal login credentials or sensitive information.
- Supply chain attacks: One vulnerable partner can open the door to widespread breaches across multiple organizations.
What NIS2 means for you
The EU’s NIS2 directive places direct accountability on organizations to evaluate the security posture of their supply chain. This isn’t just about regulatory compliance—it’s about reducing real-world risk across your entire ecosystem. Here’s what that looks like in practice:
- Visibility: You need to know which vendors have access to your systems and data. Article 21(2d) of the directive explicitly requires organizations to include vendor and service provider relationships in their risk management strategy.
- Due diligence: You must be able to demonstrate that your vendors are following appropriate security measures. Article 21(3) highlights the importance of factoring in the vulnerabilities of both your supply chain and your direct service providers.
- Incident reporting: Incidents involving third parties may trigger mandatory reporting requirements. Under Article 23, significant incidents must be reported within 24 hours (as an early warning), followed by an initial report within 72 hours, and a final report within a month.
In short, ignorance is no longer an option.
Shifting from trust to verification
Many companies still lean on long-standing vendor relationships. But in cybersecurity, trust alone no longer cuts it. To build a mature security posture, you need to adopt a Zero Trust approach: trust, but always verify—even when the partner has been with you for years.
The takeaway: Security is a shared responsibility
Vendors are essential to your daily operations—but they can also introduce unexpected risks. By staying ahead of phishing trends and making your supply chain a core part of your security strategy, you’ll not only reduce the likelihood of incidents, but also stay compliant with the stricter NIS2 requirements.
Source: eur-lex.europa.eu
