{"id":6249,"date":"2025-08-15T14:47:27","date_gmt":"2025-08-15T13:47:27","guid":{"rendered":"https:\/\/amtivo.com\/uk\/standards\/\/\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/"},"modified":"2025-12-15T16:16:01","modified_gmt":"2025-12-15T16:16:01","slug":"what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security","status":"publish","type":"standard-post-filter","link":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/","title":{"rendered":"Understanding \u201cShadow Compliance\u201d and Supply Chain Security"},"content":{"rendered":"<p>Not many people will be familiar with the idea of <em>shadow compliance<\/em>, but it could turn out to be one of the more consequential cybersecurity trends of the post-pandemic era.<\/p>\r\n<p>A form of special due diligence, its meaning is illustrated by a recent story of an unnamed company that was negotiating to sell its technology to a European bank, as <a href=\"https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2022\/07\/06\/shadow-compliance-the-cybersecurity-trend-nobody-is-talking-about\/\" target=\"_blank\" rel=\"noopener\">recounted<\/a> recently by Howard Taylor, CTO of security vendor Radware.<\/p>\r\n<p>Communication between the parties progressed normally until one day the company received an unexpected call from its prospective customer saying that the bank had noticed unusual traffic emanating from its network. Could this anomaly be explained? \u00a0It transpired the bank had engaged penetration testers to probe the tech company\u2019s network for cybersecurity issues affecting its public-facing systems.<\/p>\r\n<p>The traffic was, it transpired, a legitimate scan conducted by the company as part of its internal security procedures, but the fact it had been asked to explain this made what was going on here embarrassingly obvious: before becoming a customer, the bank wanted to test its potential partner\u2019s network for evidence of possible compromise or oversight.<\/p>\r\n<p>Organisations expect to be probed for security weaknesses by cybercriminals, not other companies, and certainly not partners and friends. But that\u2019s the thing about shadow compliance \u2013 it\u2019s <em>shadow <\/em>compliance because you don\u2019t know it\u2019s happening until the company doing it tells you, assuming they ever do. In many cases, this sort of covert scanning will never be made public.<\/p>\r\n<h2>\u00a0<\/h2>\r\n<h2>Why Is This Happening?<\/h2>\r\n<p>The short answer is the influence of zero trust, which CISOs take increasingly seriously. For decades, it\u2019s been standard procedure to give supply chain partners the once over, a sort of basic due diligence that assessed their service reliability, past record, management, and financial health. In recent times, cybersecurity incidents were added to this list. When experts talk about the effect of a cybersecurity incident on reputational risk scoring, this is one of the things they are referring to.<\/p>\r\n<p>But asking questions or looking at the past doesn\u2019t tell you everything. As the many ransomware attacks on big brand companies underline, how secure a company looks from the outside or from a slick website isn\u2019t the same as how secure it is. Even the most attentive companies can miss important things. The game has changed, and nothing is being taken on trust. Assumptions about security are no longer good enough. \u00a0A small but growing number of companies with the budget to hire penetration testers are subjecting their friends to evidence-based inspection.<\/p>\r\n<p>Welcome to the era of the zero-trust supply chain.<\/p>\r\n<h2>\u00a0<\/h2>\r\n<h2>What Sort of Tests Are Involved?<\/h2>\r\n<p>Shadow compliance is more superficial than a conventional authorised penetration test, which would probe far farther into a company\u2019s systems and behaviour under pre-agreed rules of engagement. Neither will it involve any exploitation or illegal act. Then again, a test doesn\u2019t always need to be comprehensive to be revealing. This is information gathering, a test without the penetration element.<\/p>\r\n<p>Shadow compliance testing involves looking for obvious red flags such as exposed devices or suspicious traffic. It might also involve a dark web check to see whether any sensitive company data is floating around that indicates a past or undisclosed breach. When stated like this, shadow compliance sounds quite sensible. Who wants to become a customer or partner of a company that can\u2019t secure its own data?<\/p>\r\n<h2>\u00a0<\/h2>\r\n<h2>Who Is Affected?<\/h2>\r\n<p>By its nature, evidence for shadow compliance remains anecdotal. It also costs money for the company carrying out the checks so it\u2019s unlikely to be common behaviour yet.<\/p>\r\n<p>However, one sector that might be under more scrutiny right now is technology, not hard to understand given the rise of sophisticated attacks targeting the software supply chain such as that on <a href=\"https:\/\/www.nytimes.com\/2021\/02\/23\/opinion\/solarwinds-hack.html\" target=\"_blank\" rel=\"noopener\">SolarWinds<\/a> in late 2020 and <a href=\"https:\/\/www.nytimes.com\/2021\/07\/06\/technology\/kaseya-cyberattack-ransomware-revil.html\" target=\"_blank\" rel=\"noopener\">Kaseya<\/a> in 2021. Attackers have realised that the technology supply chain serving thousands of customers is only as secure as its weakest link, in this case software vendors and service providers.<\/p>\r\n<p>Other sectors that might be popular with attackers are energy, pharmaceuticals, and manufacturing and engineering where the IP is valuable. Supply chain attacks can also affect even small suppliers. The belief that only larger companies are worth targeting is an out-of-date way of understanding the problem.<\/p>\r\n<p>An intriguing use of shadow compliance is that cyber-insurers might conduct checks on customers before agreeing to insure against their risk. Again, the evidence for this is anecdotal, but the logic is hard to avoid. Hard facts from an independent report have become a compelling way to assess real-world risk.<\/p>\r\n<h2>\u00a0<\/h2>\r\n<h2>How Should Organisations React?<\/h2>\r\n<p>One response is for organisations to check their own public-facing systems using the same pen testing approach. \u00a0The objective here is to understand vulnerabilities before someone spots the same issues. It\u2019s also worth trying to understand whether these results from this might be misinterpreted, as they were in the above Radware story.<\/p>\r\n<h2>\u00a0<\/h2>\r\n<h2>Conclusion<\/h2>\r\n<p>It\u2019s possible to see shadow compliance as a logical development of the way organisations are asking more questions these days. Normally this is a matter of requesting certificates or evidence that a company has conducted pen tests on its network at regular intervals. The difference with shadow compliance is that this process is done more covertly.<\/p>\r\n<p>Not that long ago, penetration tests were seen as something most companies probably didn\u2019t need to do. Now all companies conduct some form of penetration test, for example to achieve <a href=\"\/uk\/standards\/cyber-essentials-plus\/certification\/\">Cyber Essentials Plus certification<\/a> or just for peace of mind. Think of shadow compliance as moving the same idea up a notch.<\/p>\r\n<p>&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"Get quality valuable resources to enhance knowledge of our ISO certification and auditing services. Obtain expert help from British Assessment Bureau.","protected":false},"author":24,"featured_media":6250,"template":"","meta":{"_acf_changed":false,"_searchwp_excluded":"","footnotes":""},"standard-post-categories":[31],"standard-post-tags":[32],"class_list":["post-6249","standard-post-filter","type-standard-post-filter","status-publish","has-post-thumbnail","hentry","standard-post-categories-insights","standard-post-tags-cyber-essentials"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Understanding \u201cShadow Compliance\u201d and Supply Chain Security<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Understanding \u201cShadow Compliance\u201d and Supply Chain Security\" \/>\n<meta property=\"og:description\" content=\"Get quality valuable resources to enhance knowledge of our ISO certification and auditing services. Obtain expert help from British Assessment Bureau.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Amtivo UK\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-15T16:16:01+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/09\/software-developers-discussing-about-source-code-c-2022-01-13-00-41-00-utc.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"682\" \/>\n\t<meta property=\"og:image:height\" content=\"384\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/04\/testimonialImage-placeholder.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Understanding \u201cShadow Compliance\u201d and Supply Chain Security","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/","og_locale":"en_GB","og_type":"article","og_title":"Understanding \u201cShadow Compliance\u201d and Supply Chain Security","og_description":"Get quality valuable resources to enhance knowledge of our ISO certification and auditing services. Obtain expert help from British Assessment Bureau.","og_url":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/","og_site_name":"Amtivo UK","article_modified_time":"2025-12-15T16:16:01+00:00","og_image":[{"width":682,"height":384,"url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/09\/software-developers-discussing-about-source-code-c-2022-01-13-00-41-00-utc.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_image":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/04\/testimonialImage-placeholder.jpg","twitter_misc":{"Estimated reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/","url":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/","name":"Understanding \u201cShadow Compliance\u201d and Supply Chain Security","isPartOf":{"@id":"https:\/\/amtivo.com\/uk\/#website"},"primaryImageOfPage":{"@id":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/#primaryimage"},"image":{"@id":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/#primaryimage"},"thumbnailUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/09\/software-developers-discussing-about-source-code-c-2022-01-13-00-41-00-utc.jpg","datePublished":"2025-08-15T13:47:27+00:00","dateModified":"2025-12-15T16:16:01+00:00","breadcrumb":{"@id":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/#primaryimage","url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/09\/software-developers-discussing-about-source-code-c-2022-01-13-00-41-00-utc.jpg","contentUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/09\/software-developers-discussing-about-source-code-c-2022-01-13-00-41-00-utc.jpg","width":682,"height":384},{"@type":"BreadcrumbList","@id":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-shadow-compliance-and-what-does-it-mean-for-supply-chain-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/amtivo.com\/uk\/"},{"@type":"ListItem","position":2,"name":"Standards","item":"https:\/\/amtivo.com\/uk\/standards\/"},{"@type":"ListItem","position":3,"name":"Cyber Essentials","item":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/"},{"@type":"ListItem","position":4,"name":"Insights","item":"https:\/\/amtivo.com\/uk\/standards\/insights\/"},{"@type":"ListItem","position":5,"name":"Understanding \u201cShadow Compliance\u201d and Supply Chain Security"}]},{"@type":"WebSite","@id":"https:\/\/amtivo.com\/uk\/#website","url":"https:\/\/amtivo.com\/uk\/","name":"Amtivo","description":"","publisher":{"@id":"https:\/\/amtivo.com\/uk\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/amtivo.com\/uk\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/amtivo.com\/uk\/#organization","name":"Amtivo","url":"https:\/\/amtivo.com\/uk\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/uk\/#\/schema\/logo\/image\/","url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/cropped-BAB-Amtivo-Joint-Logo-Updated-300ppi.png","contentUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/cropped-BAB-Amtivo-Joint-Logo-Updated-300ppi.png","width":371,"height":203,"caption":"Amtivo"},"image":{"@id":"https:\/\/amtivo.com\/uk\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter\/6249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter"}],"about":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/types\/standard-post-filter"}],"author":[{"embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/users\/24"}],"version-history":[{"count":3,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter\/6249\/revisions"}],"predecessor-version":[{"id":7000,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter\/6249\/revisions\/7000"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/media\/6250"}],"wp:attachment":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/media?parent=6249"}],"wp:term":[{"taxonomy":"standard-post-categories","embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-categories?post=6249"},{"taxonomy":"standard-post-tags","embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-tags?post=6249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}