Why Third-Party Access Remains the Weak Link in Supply Chain Security

Risk builds when gaps are overlooked. Slow onboarding stalls business before it even begins, but it’s also symptomatic of a lack of mature processes that introduce human error. Weak authentication methods are often permitted to grant access quickly, but leave identities vulnerable to phishing.

Those methods also enshrine practices like frequent password resets/rotations that drain productivity while failing to secure your mission-critical systems. For example, the Thales report shows that 40% of professionals across industries have to reset their passwords once or twice a month, creating avoidable inefficiencies and undermining the user experience.

Exceptions further weaken access control, while delayed revocation leaves inactive accounts active with stale permissions, or sessions that remain active far longer than they should. Web protocols are well documented, and exploits should be expected.

For example, the OAuth specification is well understood, and its known attack vectors are thoroughly documented. But attackers don’t rely on novelty—they seize on poor implementations, weak controls, and exceptions that leave the backdoor open to gain access.

Workforce identity is usually managed with far more rigor to avoid known vulnerabilities, but B2B access often escapes that level of scrutiny. Identity and Access Management becomes a checkmark in vendor assessments. The result is an expanding attack surface area that bad actors are actively exploited.

The Thales Digital Trust Index reveals that these failures are more than inefficiencies: they make the attackers’ job much easier. When more than half retain access long after contracts end, attackers notice this trend, and they want nothing more than to obtain persistent access.

Brokers sell stolen identities on darknet markets, Telegram channels, and criminal forums. Packages include email/password combos, session cookies, and “fullz” (complete identity profiles). Law enforcement actions like the 2023 seizure of Genesis Market show the scale.

Verizon’s 2025 Data Breach Investigations Report found that 62% of system intrusion incidents involve the supply chain, underscoring how attackers exploit these weak points to gain access. They’re also getting faster and smarter with shorter breakout times and commoditized toolsets. This isn’t a theoretical risk—it’s slowing business, eroding trust, and fueling costs while cybercriminals profit.

Invisible risks and gaps that cause friction in identity federation have undeniable costs. Operational delays are already prevalent. Thales found that 31% of partners must wait days for access, slowing revenue before work even begins, while 96% face login issues. Inefficient access control costs end users 48 minutes a month on average, which otherwise would be going toward optimizing supply chains and logistics.

Regulators have also taken notice. In both the U.S. and EU, new rules are pushing enterprises to prove third-party resilience. Notably, the EU’s Digital Operational Resilience Act (DORA) mandates stronger oversight of ICT vendors, and there’s growing scrutiny under OCC and SEC guidelines in the U.S.

The EU has begun to enforce DORA, and its penalties are steep. Fines may be up to 2% of global annual turnover or 1% of average daily turnover.

When confidence erodes, brands lose more than time. Trust, reputation, and deal velocity are exposed. A whopping 82% of consumers have abandoned brands due to concerns over digital trust. Confidence is far harder to recover than the costs of prevention, especially when B2B IAM also leads to greater agility.

A stronger IAM strategy is central to supply chain success. That means extending zero-trust principles to third parties and monitoring vendors with access review like you would your workforce. Assume breach, because attackers have an economic incentive to exploit mistakes. It also requires frictionless onboarding that enables business at speed (with automation, roles, and attributes) without compromising security.

This is made possible via end-to-end lifecycle management and lifecycle workflows, ensuring access is revoked the moment it’s no longer needed or changes to meet current needs. Federated identity should never equal permanent trust, and authenticated shouldn’t mean trusted. Policies and risk signals continuously evaluate whether users, sessions, and devices should be granted access to your resources.

Securing the supply chain starts with securing identity. When access is provided instantly, but oversight is absent, trust becomes optional, and attackers thrive on that gap. Extending zero-trust principles to third parties doesn’t just protect systems; it protects relationships, revenue, and reputation.

If you take one step today, make it this:
Audit who still has access, automate what you can, and monitor what you can’t.

Every dormant account you close, every delayed revocation you automate, and every login you modernize brings your organization closer to genuine digital trust. Third-party access will always be part of business—but it doesn’t have to be your weakest link.

About the author: José Caso at Bora