02 | CURRENT AND FUTURE RISKS
Current Posture and Future Risk: Systemic Exposure Across the Entire Ecosystem
Chapter 1 established the attacker’s playbook and the initial access vectors (credentials, MFT flaws) based on past victims.
This chapter merges the assessment of the major companies with the analysis of their critical vendor ecosystem, answering the question: How exposed is the interconnected Retail and Wholesale supply chain right now?
This section analyzes the cyber hygiene of 840 large anchor companies and compares it directly against their 2,620 critical supply chain vendors. The consistent exposure across all three dimensions (Retail, Wholesale, and their Supply Chain proves that risk is not contained—it is systemic, shared, and magnified.
This data is based on a detailed analysis of the supply chains of leading global Retail and wholesale companies based on Black Kite’s Supply Chain data. By mapping publicly available vendor ecosystems and third-party service dependencies, we identified 2,620 critical vendors connected to these major organizations.
We’ll look at:
Setting the Stage
Key Risk Indicators
Security Controls
Setting the Stage: Industry & Vendor Breakdown
Before diving into risk exposure, we establish the composition of the sample group. Understanding the diversity of subindustries and the geographic concentration of these major players provides context for the security controls being assessed.
Top 5 Subindustries
The companies assessed span a broad range of products and services, reflecting the complexity of the combined ecosystem.
Number of Companies in Each Subindustry: Retail
Retail Subindustry Focus: The Retail sample is highly concentrated in consumer-facing operations like Food and Beverage Stores (85 companies) and Clothing, Shoe, and Jewelry (42 companies).
Number of Companies in Each Subindustry: Wholesale
Wholesale Subindustry Focus: The wholesale sample is more diverse but highlights key physical logistics and component segments, such as Household Appliances and Electrical (21 companies) and Grocery and Related Product (14 companies).
The Ecosystem Composition
When we think of the supply chain, we often picture logistics and warehouses. However, the data shows the digital infrastructure now outnumbers the physical.
Number of Vendors in Each Industry
The data shows an unexpected shift: digital partners now outnumber physical ones. Professional & Technical Services (793 companies) and Information (705 companies) now dominate the vendor ecosystem, far outnumbering Manufacturing or Transportation. This proves that the supply chain has shifted to a digital-first network (comprised of software vendors and IT service providers), where the sheer scale of connectivity creates a more complex risk surface across the entire chain.
Top Countries
The geographic distribution of major industry players confirms the high-value focus on Western markets, which aligns with the regional targeting seen in Chapter 1.
Number of Companies in Each Country: Vendors, Wholesale, Retail
Similar to the anchor companies, the vendor ecosystem is heavily concentrated in North America, with 69% of the critical vendor pool located in the United States. This regional density compounds the risk, subjecting the entire ecosystem to the same regional threat actors and regulatory requirements simultaneously.
Cyber Ratings
Cyber ratings offer a high-level view of perceived security health based on external factors.
Cyber Rating Distribution
Cyber Rating Distribution
Wholesale firms demonstrate a stronger overall perceived external posture, with 39% receiving an 'A' rating compared to 25% for Retail. Conversely, 63% of Retail firms are rated 'B,' indicating widespread, non-critical but persistent security flaws.
Key Risk Indicators (KRIs)
This table summarizes the exposure rates for critical Key Risk Indicators (KRIs), establishing the baseline susceptibility of major firms and their suppliers to the attack vectors identified in Chapter 1. The data is sorted by Retail exposure, placing the highest risks first
Key Risk Indicators for Retail, Wholesale, and Their Vendors
Analysis of 840 Companies with >$1B Annual Revenue (Retail n=614, Wholesale n=226) and the 2,620 critical vendors connected to these major organizations.
The vulnerabilities seen in the Retail and Wholesale anchor companies are mirrored and amplified across the vendor pool.
Security Controls
Drilling into the specific security controls highlights how pervasive operational weaknesses create entry points for attackers
Patch Management
Patch Management is a foundational control. Failure to patch critical vulnerabilities exposes companies to low-effort, automated attacks
At Least One Critical-Level Patch Management Vulnerability Present
At Least One Critical-Level Patch Management Vulnerability Present %
The anchor companies (76% Retail / 77% Wholesale) and the vendor pool (68% of critical vendors) all exhibit a dangerously high rate of unpatched critical-level vulnerabilities. This dangerously high exposure confirms the ecosystem's susceptibility to low-effort, automated attacks and demands mandatory patching standards for all third parties.
Phishing URLs
The presence of active phishing URLs associated with a company's domain indicates ongoing, targeted effort to compromise the vendor's employees or clients.
Companies with at Least One Phishing URL Finding
Companies with at Least One Phishing URL Finding %
The high rate of active Phishing URL findings across all segments (Retail: 45%; Wholesale: 34%; Vendors: 38%) confirms the entire ecosystem is under heavy, continuous surveillance. This pervasive impersonation and credential harvesting activity is the primary driver feeding the systemic Stealer Log crisis.
IP Reputation
IP reputation measures the integrity of a company's network and its exposure to organized criminal activity.
Botnet Infection
Botnet infection indicates that systems within the corporate network have been compromised and are being used to communicate with malicious networks.
Companies with at Least One Botnet Infection Finding
Companies with at Least One Botnet Infection Finding %
All sectors show high exposure, with 36% of Retail, 32% of Wholesale firms, and 32% of Vendors having at least one Botnet Infection finding. This signals malware presence and potential backdoors into the network.
Targeted by Threat Actors
This metric tracks communications between a company's network and known malicious IP addresses (like Command & Control servers).
Companies with at Least One Malicious IP Communication Finding
Companies with at Least One Malicious IP Communication Finding %
Half of the major Retail firms (50%) and 40% of Wholesale firms, and almost as many Vendors have been targeted by threat actors via malicious IP communication. This confirms that these organizations are actively on the radar of cybercriminals.
Email Security
Email security protocols (SPF, DKIM, and DMARC) protect against domain spoofing. Often dismissed as basic 'housekeeping,' in the Retail sector, they are the guardians of brand reputation. The vendor pool shows alarming gaps in basic email authentication, which attackers exploit for supply chain phishing and impersonation.
DMARC (The Rulebook):
Tells the world what to do with emails that fail the first two checks.
SPF (The Guest List):
Defines who is allowed to send emails on your behalf.
DKIM (The Wax Seal):
Ensures the message hasn't been tampered with in transit.
DMARC Record
Companies with Missing or Misconfigured DMARC
Companies with Missing or Misconfigured DMARC %
With 52% of Wholesale, 38% of Retail, and 39% of the Supply Chain companies missing or misconfiguring DMARC, these companies are inadvertently allowing attackers to spoof their domains. In an industry driven by customer trust, failing to secure your email identity is not just a technical oversight—it is an invitation for phishing attacks against your own client base.
SPF Record
Companies with Missing or Misconfigured SPF Records
Companies with Missing or Misconfigured SPF Records %
SPF records are critical for verifying email senders. Companies missing or misconfiguring their SPF records leaves domains vulnerable to unauthorized use and phishing attempts.
DKIM Record
Companies with Missing or Misconfigured DKIM Records
Companies with Missing or Misconfigured DKIM Records %
DKIM records ensure email integrity. The combined sector demonstrates poor compliance, with 24% of Retail, 33% of Wholesale, and 22% of Supply Chain companies missing or misconfiguring DKIM, signaling a pervasive industry issue with maintaining email trust and authenticity.
The collective failure of Supply Chain to correctly implement these basic controls leaves the vendor pool wide open to domain spoofing, which is a direct pathway for phishing attacks against the anchor company's employees and customers.
Stealer Logs
The most critical finding is the widespread presence of compromised credentials, confirming that initial access has already been granted to a majority of the industry. Stealer Logs findings in the Supply Chain exposes every client connected to that vendor.
As noted in the previous chapter, Stealer Logs are traded on the dark web and represent the ultimate tool for initial access. Hackers use the harvested credentials and critical session tokens to bypass perimeter defenses and log directly into a company’s VPNs, cloud portals, or critical systems, often circumventing Multi-Factor Authentication (MFA). This immediate, unauthorized entry enables them to move laterally within the corporate network and execute high-impact attacks, such as deploying ransomware or stealing mass amounts of proprietary data and customer PII.
Stealer Logs Findings
Stealer Logs Findings %
As highlighted in the KRI table, the fact that over 70% of major Retailers, nearly 60% of Wholesalers, and 52% of the Supply Chain have exposed credentials is the most critical finding. This high exposure confirms that the attacker's preferred entry method—bypassing perimeter defenses—is succeeding across the entire industry. This risk must be treated as the security baseline for all future strategy and third-party oversight.
Only critical stealer log findings were taken into account for this analysis. These include:
- Domain detected in both the username/email and URL fields of a password file
- Domain detected in the username/email field, but not in the URL
Less severe findings—such as detections lacking domain correlation or without password exposure—were excluded from this summary, as they do not indicate a direct or actionable risk.
Ransomware Susceptibility in the Supply Chain
As mentioned in the previous chapter, the Ransomware Susceptibility Index® (RSI™) reflects the future likelihood of a ransomware attack in the future.
A higher RSI for the vendor pool demonstrates that a significant portion of the third-party ecosystem is operating in a high-risk state.
RSI Distribution: Wholesale & Retail vs Supply Chain
RSI Distribution: Wholesale & Retail vs Supply Chain %
Nearly half of vendors are high-risk targets. 45% of all critical vendors fall into the moderate-to-high risk categories (RSI 0.4 - 1.0). This proves that almost half of the companies providing essential services to the Retail/Wholesale sectors possess the inherent characteristics that make them prime targets for ransomware groups.
Chapter 2 Takeaways
This chapter confirms that the risks identified in the internal network are both mirrored and amplified in the vendor ecosystem, necessitating a radical shift in third-party risk management from compliance management to real-time threat identification across the ecosystem.
1. The Standard of Risk is Broken (Identity):
The Stealer Log exposure across both first-party (70%) and third-party (52%) environments must be the new security baseline for all TPRM programs. If internal employee credentials are compromised, TPRM must operate under the assumption that the vendor’s network is already bypassed via stolen identity, shifting due diligence from perimeter checks to identity controls.
2. Ecosystem Complexity is the New Risk:
TPRM programs must re-prioritize and allocate resources based on vendor type, expanding scrutiny from legacy physical suppliers to highly connected digital providers, as proven by the dominance of Professional Services and Information vendors.
3. Shared Flaws Demand Shared Compliance (Patching):
The universal failure rate in Patch Management proves that basic cyber hygiene is a systemic weakness. This requires organizations to enforce non-negotiable, mandatory patching standards on all third parties, as internal failure is merely mirrored in the vendor pool.
4. Active Compromise Requires Active Response:
The high rates of Malicious IP Communication (51%) and Botnet Infection (32%) confirm that vendors are not just vulnerable, but actively compromised. This necessitates a move from static audits and questionnaires to utilizing real-time threat intelligence feeds within the TPRM process to respond immediately to active threats.
5. The RSI is the Future Indicator:
With 45% of critical vendors in the moderate-to-high RSI categories, TPRM teams must leverage predictive risk metrics (like RSI) to prioritize which vendors are most likely to be attacked next, rather than simply managing compliance failures based on historical data.