The Cyber Achilles’ Heel: Why TPRM is Broken and Leaving You Blind 

The MOVEit Transfer hack didn't just breach one target; it was a digital wildfire that swept across the globe, impacting thousands of organisations and tens of millions of people. High-profile victims, like Boots and the BBC, weren't even direct users of the compromised software. They were impacted through their own suppliers that used MOVEit to handle their data.

This cascading disaster exposed a chilling truth for every CISO, risk manager, and board member: 

Your security is only as strong as the weakest, most distant link in your supply chain.

The industry's conventional defence mechanism—Third-Party Risk Management (TPRM)—is failing. It's not a tweak or a missing feature; the traditional TPRM model itself is fundamentally broken, built on assumptions that crumble under the weight of today’s highly interconnected, sophisticated threats.
‍

The Snapshot Illusion: Why Compliance Isn't Security

Traditional TPRM in essence relies on three core methods: questionnaires, shared assurance providers, and external vulnerability scanners. The problem is that all three are designed to deliver a point-in-time snapshot of security in a landscape that requires real-time data and insights.

Imagine inspecting the locks on a vault door once a year, while a continuous stream of attackers is testing the fire exits. That’s what periodic assessments do.

1. Questionnaires are static and resource-intensive: These security compliance checklists are typically sent out at the start of a contract and at best repeated annually. For the supplier, filling out different, custom-made questionnaires for every client is a major, time-consuming burden that increases the risk of them not taking every assessment as seriously as they should. For you, the client, they provide no continuous insight and can be out of date the moment they were completed.
   
   
2. Scanners are blind to internal weaknesses: External scanning tools are popular because they're a quick, "plug and play" way to check a supplier’s public-facing systems for known vulnerabilities. But they can only scan the outer perimeter. They give zero insights into a supplier’s internal security posture—the policies, procedures, people and internal systems. Worse, they can produce many false positives, flooding security teams with too much noise.

The failure of TPRM is reflected in the data. In a recent report “Every Link Matters: The State of Supply Chain Cyber Security 2025—UK Edition”, only a minority (37.2%) of all surveyed UK cyber professionals believe TPRM to be “effective”. This wide gap between practice and confidence is a warning sign that traditional TPRM is broken.

Blind Spots and Cascading Failure: The Systemic Flaws

Beyond the shortcomings of the tools themselves, traditional TPRM is plagued by another fundamental flaw that leaves organisations catastrophically exposed.

1. The Fourth-Party Blind Spot (Lack of Visibility)

The sheer size of today’s supply chains—often hundreds or thousands of external relationships—makes individual, siloed assurance work impossible to scale. TPRM, by its very definition, focuses on your direct Third-Parties.

But as the MOVEit attack demonstrated, threats can appear far beyond that first tier, deep within the extended ecosystem of 4th, 5th, and n-th parties. Most organisations visibility drops off a cliff past their direct suppliers. As the report found, 72% of UK organisations currently don’t have full visibility into their supply chains beyond their direct third parties.

This lack of visibility remains a critical blind spot. Concentration risks—where several organisations all rely on the same shared supplier—can create a single point of failure that can cause disruption to cascade across an entire industry and beyond. 

2. The Silo Problem (Lack of Collaboration) 

One of the biggest shortcomings identified by the surveyed UK cyber professionals is the lack of collaboration and information sharing with industry peers (34.6% of respondents considered this a major shortcoming).

This siloed approach leads to two major problems:

• Duplication of Effort: Every organisation spends huge amounts of time and money individually assessing the same shared suppliers, creating assessment fatigue and wasting resources across the industry.
• Systemic Blindness: Individual organisations simply cannot see the systemic risks that exist across their industries. Without collaboration, no single entity can identify the hidden dependencies that could impact an entire sector.

This is compounded by the fact that TPRM is too often treated merely as a governance and compliance exercise, rather than a fundamental objective of reducing security risk. This tick-box mentality creates a vicious cycle where the perceived value depreciates, and the required effort is never truly committed.
‍

The Path Beyond TPRM: Defend-as-One

The data is an undeniable call to action: traditional, static, siloed TPRM is no longer sufficient to secure our increasingly complex digital ecosystems. The World Economic Forum is right to warn that this approach is struggling to keep pace with fast-evolving third-party threats.

The imperative now is to transcend TPRM and adopt a fundamentally different, more holistic approach: a culture of collective defence, or Defend-as-One.

By leveraging collaborative platforms and securely sharing supply chain data with peers, organisations can finally move past the point-in-time snapshot and gain:

• Continuous Monitoring: Accessing continuously updated security posture information from suppliers, rather than relying on annual checks.
• Deep Visibility and Risk Identification: Overlaying network maps with peers to uncover hidden 4th, 5th, and n-th party dependencies, instantly exposing concentration risks and single points of failure that were previously invisible.
• Shared Resilience: Collaborating to collectively triage, prioritise, and mitigate risks, leveraging combined resources and shared intelligence for a stronger, sector-wide response.

Threat actors are collaborating, constantly seeking the weakest link in your chain. For too long, the industry has been defending in isolation. It’s time to recognise the inherent flaws in our traditional methods and embrace the fact that only a more joined-up and collaborative approach will make a material difference in hardening our security and making our economies truly resilient. The Achilles' heel of cyber security lies not just in a single vulnerable supplier, but in the outdated model we use to manage them. It’s time to fix what’s broken.

‍