Many organisations still assume that once their data is handed over to a cloud provider or managed service partner, the risk goes with it. That assumption is not only wrong, it’s also dangerous. Outsourcing IT services does not mean outsourcing accountability. When sensitive information leaves your environment without strong protection, you are effectively placing your reputation, regulatory standing and customer trust in someone else’s hands. When those controls fail, as they often do, it is the data owner who ultimately pays the price.
Regulators have become increasingly clear on this point. Responsibility for protecting data sits squarely with the organisation that owns it, not the supplier processing or moving it on their behalf. Contracts, assurances and compliance statements offer little comfort once data has been exposed.
As a result, supply chain security is no longer an operational detail to be left to technical teams. It is a board level issue that affects risk, compliance, reputation and long term resilience. Senior leaders are now expected to understand where their data travels, who has access to it and how it is protected at every step.
The reality is uncomfortable but unavoidable. Risk cannot be outsourced. Services, platforms and operations can be delegated, but accountability remains firmly with the data owner. The only way to break the link between supplier failure and organisational damage is to ensure that data stays protected wherever it goes.
Why third-party breaches hurt so much
Some of the most damaging recent breaches did not begin inside the organisations that ultimately suffered the consequences. Attackers found their way in through suppliers, shared platforms or service providers that sat outside direct control. Once inside, they were able to access and extract data that belonged to someone else entirely.
Despite this, it was the data owner that faced regulatory investigation, fines, legal action and lasting reputational damage. Customers didn’t blame the supplier; they didn’t even know it existed. They blamed the organisation they trusted with their information. Boards and executives are then left explaining why sensitive data was allowed to travel unprotected through third-party environments.
The false comfort of perimeter security
A common thread in many of these incidents is over-reliance on perimeter based security. Organisations focus heavily on protecting their own networks and identities, while assuming partners will do the same. In reality, attackers rarely respect organisational boundaries. They move through supply chains, exploit weaker links and target data wherever it is most accessible.
Once data leaves your environment, perimeter controls lose their value. If the information itself is not protected, a breach at any point in the chain exposes it. This is why traditional security approaches struggle to contain the fallout from supplier compromises.
Harvest now, decrypt later is already happening
There is an additional risk that many organisations are massively underestimating. Attackers are not only stealing data for immediate use. They are also running harvest now, decrypt later campaigns. Sensitive information is being exfiltrated today, stored, and held until cryptographic advances make it readable.
This is significant because data shared across supply chains retains its importance and value over time. Financial records, personal data, intellectual property and regulated information do not expire quickly. When quantum computing capabilities mature, encryption methods that were once considered strong will no longer offer adequate protection. Data stolen years earlier can suddenly become exposed.
The assumption that quantum threats are a distant concern misses the point. The risk is not when quantum computing arrives. The risk is that the data that will be valuable then is already being collected now. Without quantum-ready, Post-Quantum Cryptography (PQC)-safe security protection in place today, organisations are building a future liability into their supply chains.
Organisations need to be looking at these PQC-safe solutions now that focus on ensuring data remains protected even against future cryptographic breakthroughs. When applied to data in motion, it ensures that information remains unreadable wherever it travels, across internal systems, cloud platforms and third-party environments.
Securing data across the supply chain
The most effective way to reduce supplier risk is to protect the data itself, rather than relying on each partner’s infrastructure. Encryption in transit, strong control of encryption keys and clear policies governing how data flows between systems are critical.
When data is protected end-to-end, a supplier breach does not automatically become a business crisis. Even if attackers gain access to systems, the information they intercept is unusable. This removes much of the incentive for the attack and dramatically reduces the impact if one occurs.
Crucially, this approach works with existing systems. Many organisations rely on legacy platforms that are difficult or costly to replace. Protecting data flows around those systems allows them to remain in use while still meeting modern security and regulatory expectations.
Another benefit of data-centric protection is reduced dependence on supplier assurances. Rather than relying on the assumption that every partner has implemented perfect security, organisations can enforce their own protection standards at the data level. This shifts control back to the data owner and reduces exposure to weaknesses outside their direct oversight.
It also simplifies compliance. When organisations can demonstrate that sensitive data is consistently protected wherever it moves, regulatory conversations become far more straightforward.
Protecting what actually matters
The lesson from repeated third-party breaches is clear. Attackers go where the data is, not where the organisational chart says responsibility should lie. Organisations that focus solely on infrastructure security will continue to be caught out by supplier failures.
Those who take a data focused, quantum-secure approach can change the outcome. Breaches may still occur, but their impact need not define the organisation. When stolen data is unreadable, reputation, trust and regulatory standing are far easier to protect.
The message is simple. You may rely on suppliers, but your data is still your responsibility. Protect it accordingly.
- Risk & Resilience
