In 2020, a routine software update from a company called SolarWinds gave hackers access to over 18,000 organisations — including the US Treasury and Fortune 500 companies. The breach wasn’t caused by a phishing email or a weak password. It came through a trusted vendor. That single incident redefined what third-party risks look like in the modern threat landscape — and most small businesses still aren’t prepared for it.
If you share data, systems, or network access with any external vendor, contractor, or software provider, you have a third-party risk exposure. This post breaks down exactly what that means, how attackers exploit it, and what you can do right now to close the gaps.
What Are Third-Party Risks and Why Should You Care?
Third-party risks refer to the vulnerabilities that arise when you allow external parties — vendors, suppliers, SaaS platforms, IT contractors, or even cleaning services with building access — to interact with your systems, data, or physical infrastructure.
Here’s the uncomfortable truth: your security is only as strong as the weakest link in your vendor chain. You might have enterprise-grade firewalls and multi-factor authentication in place, but if your payroll provider gets breached and they hold your employee data, you’ve got a serious problem — even though you did nothing wrong.
The Hidden Scale of the Problem
According to a 2023 report by SecurityScorecard, 98% of organisations have a relationship with at least one third party that has experienced a breach in the past two years. For small businesses, the risk is amplified because they often lack the resources to properly vet the tools and services they rely on daily.
Common third parties that introduce risk include:
- Cloud storage and SaaS platforms (e.g., accounting software, CRMs)
- IT managed service providers (MSPs)
- Marketing agencies with access to your website backend
- Payment processors and e-commerce plugins
- Freelancers or contractors with remote system access
- Hardware and equipment suppliers with network connectivity
How Attackers Exploit Third-Party Risks
Cybercriminals are strategic. Rather than attacking a well-defended target directly, they look for a softer entry point — and your vendors often provide exactly that.
Supply Chain Attacks
A supply chain attack happens when a threat actor compromises a vendor’s software or service and uses it as a vehicle to reach their actual target: you. The SolarWinds attack is the most famous example, but smaller-scale versions happen constantly. A malicious update pushed through a WordPress plugin, for instance, can compromise thousands of websites at once.
Credential Theft via Third-Party Breaches
When a vendor you use suffers a data breach, your credentials stored in their system may be exposed. If your team reuses passwords across platforms (a common problem), attackers can use those stolen credentials to access your own systems through a process called credential stuffing.
Lateral Movement Through Shared Access
Some vendors require direct access to your network or systems to provide their service — think IT support tools or remote monitoring software. If that vendor’s own environment is compromised, attackers can use that access tunnel to move laterally into your infrastructure.
Building a Third-Party Risk Management Framework
You don’t need a dedicated compliance team or a six-figure budget to manage third-party risks effectively. What you do need is a structured, repeatable process.
Step 1: Create a Vendor Inventory
Start by listing every external party that has access to your systems, data, or physical premises. Most businesses are surprised by how long that list is. Include:
- Software tools and SaaS subscriptions
- IT support providers or MSPs
- Contractors and freelancers
- Cloud hosting and storage providers
- Any third-party APIs integrated into your website or apps
Categorise each vendor by the level of access they have and the sensitivity of the data they can reach. This becomes your risk register.
Step 2: Assess Each Vendor’s Security Posture
Not all vendors are equal. Before onboarding a new vendor — and periodically for existing ones — ask the right questions:
- Do they have a published security policy or compliance certifications (e.g., ISO 27001, SOC 2)?
- How do they handle and store your data?
- What is their incident response and breach notification process?
- Do they conduct regular penetration testing or security audits?
- Do they use multi-factor authentication internally?
For higher-risk vendors, request a completed security questionnaire or a copy of their most recent audit report. Many reputable vendors will provide these on request. If a vendor refuses or can’t answer basic questions, that’s a red flag.
Step 3: Enforce the Principle of Least Privilege
Never give a vendor more access than they actually need. If your accountant needs to pull monthly reports, they don’t need admin access to your entire cloud environment. Apply the principle of least privilege rigorously:
- Create role-based access controls specific to each vendor’s function
- Use time-limited access credentials where possible
- Revoke access immediately when a vendor relationship ends
- Avoid sharing master admin credentials — ever
Step 4: Include Security Requirements in Contracts
Your vendor contracts should include explicit security obligations. This isn’t just legal protection — it sets a clear expectation from the start. Key clauses to include:
- Data processing agreements (DPAs) — especially important under GDPR if you’re handling EU resident data
- Breach notification timelines (e.g., vendor must notify you within 72 hours of a confirmed incident)
- The right to audit the vendor’s security practices
- Requirements around subcontractors — who else can your vendor share your data with?
Step 5: Monitor Vendor Activity Continuously
Vendor risk isn’t a one-time checkbox — it’s an ongoing process. Set up monitoring to track unusual activity from vendor accounts. Tools like SIEM platforms (Security Information and Event Management) can flag anomalies such as a vendor account logging in at unusual hours or accessing data outside their normal scope.
For smaller businesses without enterprise tools, at minimum:
- Review vendor access logs quarterly
- Set up alerts for login attempts from unfamiliar locations or devices
- Re-evaluate your vendor risk register annually or after any major changes
Practical Steps for Small Businesses With Limited Resources
If you’re a small business owner reading this and feeling overwhelmed, here’s a stripped-down version you can implement this week:
- Audit your tools: Log every app and service your business uses and check if any have had recent breaches at
haveibeenpwned.comor through your email provider’s breach alerts. - Enable MFA everywhere: Require multi-factor authentication for every vendor-facing account and make it a deal-breaker for new vendors who don’t support it.
- Remove stale access: Check which old vendors, contractors, or ex-employees still have active logins. Revoke anything that shouldn’t be there.
- Read your SaaS terms: Know where your data is stored, who can access it, and what happens to it if you cancel the service.
- Ask one security question per vendor this quarter: Start small — ask your top five vendors how they handle a data breach. Their answers will tell you a lot.
Third-Party Risks Are a Shared Responsibility
Managing third-party risks isn’t about distrusting your vendors — it’s about building a partnership based on verified trust rather than assumed trust. The businesses that get hit hardest in supply chain attacks are usually those who handed over access and never looked back.
Cyber threats don’t always come through the front door. Sometimes they walk in through the side entrance, wearing your vendor’s uniform. Building a vendor security management process — even a basic one — dramatically reduces the chances of that happening to you.
Start with your vendor inventory today. You can’t protect what you don’t know exists.
