I spend my days talking to enterprise security teams about digital supply chain risk. CISOs who need to pass audits. GRC leads trying to meet DORA and NIS2 requirements. Security architects staring at vendor lists that do not match reality.

The business case is well understood at this point: undiscovered third-party connections are a breach vector. Unknown subprocessors create compliance exposure. Infrastructure concentration in a single provider is a risk multiplier that most organizations have not modeled. This is what ThingsRecon was built to surface.

What changed for me recently was the scale of this reality.

The question every ministry asked

On a recent episode of the All Things Cyber podcast, I spoke with David Smith from BAE Systems, who has spent the last three years working on cyber capacity building with governments across the Balkans. He described working with ministries on EU accession, specifically, the NIS2 requirement that organizations ensure their third-party suppliers meet supply chain security standards.

When he put that requirement to a government ministry, they came back with a question I recognized immediately: how do we know who our third-party suppliers are?

I hear this every week from large financial institutions, global technology companies, and critical infrastructure operators alike. Governments and enterprises face the same visibility challenge, only the consequences are different when citizens’ lives are at stake.

When supply chain failure becomes visible

The Albania and Montenegro incidents David described are covered in detail in his own piece on this blog. What stayed with me was not the technical sequence but the downstream effects.

In Tirana, the same breach that took down municipal IT systems also took down city wifi. The police were coordinating response on that wifi. Traffic cameras ran on the same network. Revenue collection stopped. And it happened to be the two-week window when parents could register children for kindergarten, a system that was now offline.

Nobody had mapped the dependency chain that connected an Iranian threat actor's actions to a parent unable to register their child for school. Nobody had planned for that cascade.

David put the stakes directly: in enterprise security, when something goes wrong, you worry about customers and shareholders. In government and CNI, worst case, you are worried about people dying.

What a discovery scan actually reveals

When ThingsRecon runs a digital supply chain assessment on an organization's external surface, we do not start from the vendor list. We start from the organization's own domains and work outward, following DNS records, reading scripts, tracing API endpoints, analyzing headers and certificates. We are reconstructing what is actually connected.

What we consistently find is a picture larger than anyone expected. Active third-party connections routinely run two to five times the official vendor count. Suppliers approved for one integration are connected in three. Tools that individual teams adopted without procurement are embedded in production infrastructure. Subdomains from old integrations are still pointing somewhere active.

This is not negligence. It is how digital supply chains grow. They expand as every team, every project, every vendor relationship adds connections; and the list of connections grows faster than any manual process, annual audit, or vendor questionnaire can track.

This is the gap that NIS2 and DORA are now forcing organizations to confront: not just whether your declared vendors are compliant, but whether you actually know who your vendors are. In previous articles, we’ve mapped their requirements to technical capabilities to meet them.

The honest question

The organizations David works with face the same foundational problem as large enterprises. The discovery challenge does not scale differently by sector; it scales by the complexity of the supply chain and the speed at which new connections are added.

What scales differently is the consequence. In enterprise, the failure mode is financial and regulatory. Breach costs, contractual penalties, reputational damage. In government and CNI, the failure mode can include public services going dark, essential payments freezing, populations without information or coordination during a crisis.

The question that conversation left me with is one I now bring to every enterprise engagement: can your organization answer today, not from the contracted vendor list, but from the live digital environment: what is actually connected to your infrastructure right now?

If the answer is uncertain, that uncertainty is the exposure. The same kind of exposure that turned a cyberattack on a municipality into a school registration crisis, just at a different scale, with different stakes at the end of the chain.

Understanding your digital supply chain risk starts with knowing what is actually there.

‍

This post was adapted from Episode 5 of the All Things Cyber podcast, featuring David Smith, Regional Lead Consultant at BAE Systems Digital Intelligence.‍