TL;DR: Recurring pressure points in supply chain cyber risk, third-party breaches, AI-enabled attacks, and the LapDogs ORB campaign used routers and IoT devices to establish persistent espionage footholds across multiple regions, according to SecurityScorecard’s Q2 2025 coverage. The lesson for security and identity teams is that exposed suppliers, unmanaged device trust, and weak credential governance now interact as one risk surface.
NHIMG editorial — based on content published by SecurityScorecard: Q2 2025 press coverage and threat intelligence highlights
Questions worth separating out
Q: What breaks when third-party access is not tightly governed?
A: When third-party access is broad or persistent, one supplier compromise can become a pathway into multiple environments.
Q: Why do routers and IoT devices matter in supply chain attacks?
A: Routers and IoT devices matter because attackers can turn them into distributed proxy infrastructure that hides origin, preserves persistence, and complicates attribution.
Q: How do security teams know if supplier trust has become a blind spot?
A: Supplier trust becomes a blind spot when external identities, tokens, and support channels exist without clear ownership, expiry, or revocation paths.
Practitioner guidance
- Inventory every external trust edge Build a single view of supplier identities, support accounts, API tokens, and device-originated access that can touch critical systems.
- Reduce standing third-party access Replace persistent supplier access with task-scoped approval paths where possible, and require explicit reauthorisation for privileged actions.
- Bring edge devices into risk scoring Include routers, home-office devices, and IoT assets in exposure analysis when they participate in corporate connectivity, remote access, or relay functions.
What's in the full article
SecurityScorecard's full coverage covers the operational detail this post intentionally leaves for the source:
- The linked coverage index on the LapDogs ORB report and related media mentions.
- Executive commentary on third-party risk management and supply chain cyber risk.
- Links to Q2 podcast appearances and company news for deeper context on the broader programme.
- Additional coverage references on AI-enabled attacks, third-party breaches, and critical infrastructure threats.
👉 Read SecurityScorecard's Q2 2025 coverage of supply chain risk and LapDogs →
Supply chain cyber risk and ORB networks: what teams need to know?
Explore further
Supply chain cyber risk has become an identity and trust problem, not just a vendor assurance problem. When external infrastructure and third-party access can be reused as covert operational plumbing, the real issue is whether organisations can prove who or what is trusted at each handoff. That shifts the governance burden onto identity lifecycle control, entitlement scope, and continuous monitoring across supplier connections. Practitioners should assume supplier trust is conditional and revocable.
A question worth separating out:
Q: Which frameworks help govern third-party access and supply chain risk?
A: NIST Cybersecurity Framework 2.0, NIST SP 800-53, and MITRE ATT&CK are useful starting points for managing supplier risk, access control, and adversary behaviour. For identity-heavy supplier connections, pair them with OWASP Non-Human Identity guidance so machine credentials, tokens, and service access are governed as part of the same control set.
👉 Read our full editorial: SecurityScorecard Q2 2025 coverage highlights supply chain risk