1 Table of contents 76

Inbound Logistics | May 2026

RISKS&REWARDS [ INSIGHT ]

by Michael Irwin CISO and VP, Technology Operations, Odyssey Logistics linkedin.com/in/michaeljamesirwin | 866-487-7481

In 1787, Russian minister Grigory Potemkin built fake settlements along the Dnieper River to impress empress Catherine II during her tour of Crimea. The hollow facades were painted to look like thriving villages. While the empress saw prosperity, behind the walls stood empty fields. Has Vendor Vetting Become Security Theater?

Many breaches exploit connections companies forgot existed. 2. Build real risk profiles. Replace generic questionnaires with requirements tied to specific access. A vendor that only receives purchase orders faces different risks than one with direct access to your WMS. Define what security controls each level of access requires. 3. Enforce through validation, not self- attestation. Require SOC 2 Type II certifications as a baseline for any vendor accessing your systems. For critical vendors, conduct annual penetration testing or require evidence of their own testing. Ask for proof of cyber insurance with adequate coverage limits. 4. Implement least-privilege access. Use network segmentation to isolate vendor connections. If a logistics provider only needs to update shipment status, it shouldn’t be able to query customer data or access financial systems. CLOSING THE GAP When the Empress’ tour ended, she was convinced of a prosperity that didn’t exist. Shippers conduct similar tours of vendor security, reviewing documentation that confirms protections that may not be there. Closing the gap between what we verify and what exists requires examining what’s actually behind the walls. 

Current breach reporting requirements compound this problem. Regulations require companies to report breaches only when unencrypted sensitive data is lost. If attackers steal encrypted data, most companies don’t report it. Unreported breaches are still risky, however. This regulatory gap muddies the waters. A vendor questionnaire showing zero reportable incidents may mean the vendor hasn’t lost unencrypted data—yet. It says nothing about whether their systems have been compromised or whether attackers are already inside their network. Bad actors have learned to exploit this broken system methodically. They rarely waste resources attacking Fortune 500 companies with substantial cybersecurity budgets. Instead, they target the smaller vendors those companies depend on. To move from vetting theater to actual risk management, start with these steps: 1. Map your environment completely. Create a data flow diagram showing every third-party connection to your systems. Document what data each vendor can access and which systems they touch.

Vendor security vetting in logistics often resembles a similar facade. Overwhelmed by the volume of assessments, many companies turned to automation for relief. Now, AI generates and fills out the security questionnaires. Shippers review this impressive documentation and sign off on partnerships. But behind this theater, actual vulnerabilities remain unexamined. While the process satisfies auditors, attackers walk through unlocked doors. Supply chain companies face more attacks than other sectors because of the gap between the security we document and the security we actually have. The drift happened gradually. Vendors began receiving dozens of security questionnaires, each with different questions from different customers. The burden became unsustainable, so companies automated their responses. Shippers, facing their own volume problem, automated their evaluations. The result is a closed loop where artificial intelligence asks and answers questions with little human judgment involved.

30 Inbound Logistics • May 2026

Powered by