Cyber Focus Interview: Dr. Aleksandr Yampolskiy Analyzes the Rise of Third-Party and Supply Chain Cyber Risks
Dr. Aleksandr Yampolskiy, Co-Founder and CEO of SecurityScorecard, joined Frank Cilluffo, Director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, on the Cyber Focus podcast this week to shed light on the rapidly growing risks lurking inside our digital supply chains.
Dr. Yampolskiy explained that while organizations have spent years strengthening their internal defenses, the threat landscape has shifted outward. The majority of breaches now begin with vendors.
“Supply chain risk is the new epidemic in cybersecurity,” Dr. Yampolskiy said. “150 companies’ products comprise 90% of a global attack surface. If one of those companies gets compromised, all of a sudden, you can compromise almost everybody. The attack surface has become exponentially more complex.”
Why We Have A Highly Concentrated Global Attack Surface
Dr. Yampolskiy noted the world’s digital ecosystem is now so tightly interconnected that exposure has become highly concentrated. A small cluster of technology providers supports vast portions of global infrastructure. When those firms experience outages or breaches, the follow-on effects are immediate and widespread.
“It’s no longer enough to protect your own infrastructure,” Dr. Yampolskiy said. “Companies will spend millions and millions of dollars protecting their infrastructure. And then they send paperwork to an audit firm. The audit firm gets hacked and the hackers get in.”
Cilluffo pointed to a longstanding imbalance between innovation and security. While organizations have raced to adopt cloud services, smart devices, and AI tools, far fewer have invested at the same pace in protections needed to secure them.
“Our ability to network has far outpaced our ability to protect networks,” Cilluffo said.
“150 companies’ products comprise 90% of a global attack surface. If one of those companies gets compromised, all of a sudden, you can compromise almost everybody. The attack surface has become exponentially more complex.” — Dr. Aleksandr Yampolskiy
Expanding Risk of Shadow IT and AI
Beyond third-party vendors, Yampolskiy warned that organizations must now account for fourth- and fifth-party dependencies, or your vendors’ vendors.
Many organizations can’t identify deep layers of their exposure, making it harder to understand where systemic vulnerabilities exist.
Shadow IT and shadow AI add another layer of risk. Employees uploading sensitive information to unapproved tools may appear productive, but can unwittingly leak confidential data externally. As Yampolskiy explained throughout the discussion, even the best intentions can lead to accidental compromise.
One of the most critical misconceptions he highlighted is the gap between compliance and security. Organizations often point to frameworks, audits, and certifications as signs of strength, but that is no longer enough.
“You can be fully compliant with all the regulations, but not secure,” Dr. Yampolskiy said.
To build true resilience, Dr. Yampolskiy emphasized the need for:
- Continuous monitoring across third-, fourth-, and fifth-party relationships
- Objective cybersecurity KPIs to measure and prioritize risk
- Deeper collaboration and communication with suppliers
- Boards, CISOs, and technology leaders aligning cyber risk with business and financial decisions
Strengthen Your Supply Chain Resilience
To learn how your organization can strengthen its supply chain resilience or uncover hidden third-, fourth-, and fifth-party risks, download SecurityScorecard’s 2025 Global Third-Party Breach Report or request a free demo today.