Third-party security risks refer to the threats and vulnerabilities introduced to an organisation’s IT environment via external partners – such as vendors, suppliers, service providers, or contractors. This reliance can expand the attack surface beyond the organisation’s direct control. A breach in one of your suppliers or service providers can quickly become your breach. In other words, even if your own systems are secure, an attacker may bypass your defences by targeting a less secure partner. The cascading effect of such incidents has been dramatically demonstrated in recent years.
The Rapid Rise of Third-Party Security Threats
Attackers have realised that by breaching one vendor, they can potentially infiltrate hundreds or thousands of client organisations. According ta recent report by Verizon, 30% of cyber incidents now occur through third-party risks. This percentage is up from 15% in the last 12 months, highlighting a worrying trend that third-party incidents are no longer rare freak occurrences – they have become alarmingly common and can exact a heavy toll on victim organisations.
The Danger of Assumptions and Blind Trust
A common pitfall in IT security is assuming that partner organisations “have their security under control.” It’s easy to trust a reputable vendor or to focus on internal defenses while neglecting vetting of outsiders. However, this assumption can be dangerous. Surveys show that many organisations lack visibility into third-party risks: only about 40% of companies thoroughly understand the risk of data breaches through third parties, and nearly one-quarter have little to no understanding of these risks at all. This blind spot suggests that many firms simply trust their partners without verification – a gap that attackers are eager to exploit. In practice, failing to scrutinise vendors can lead to nasty surprises. History offers clear lessons: for example, a major retailer’s breach in the 2010s originated through a compromised AC supplier, and more recently an identity provider’s systems were accessed via a hacked subcontractor – in each case, the victim believed their third party was handling security, until proven otherwise by an incident.
Blind trust in third parties can undermine even a strong internal security posture. Partners often hold sensitive data or network access, so their security lapses (like reused passwords, unpatched servers, or misconfigured storage) directly impact you. Notably, one study found around 58% of supply chain attacks aimed at gaining access to data from the end customers. This means attackers are actively targeting weak links among your suppliers to reach your data. The lesson is clear: never assume external organisations are secure by default. Robust third-party risk management – including due diligence, continuous security assessments, and clear security requirements for vendors – is essential. If your organisation doesn’t treat third-party risk as a first-class priority, it’s effectively leaving a back door open in your defences.
Common Third-Party Security Gaps to Address
To better understand why third-party breaches happen, it helps to look at common security gaps on the side of vendors and partners. A recent analysis identified six of the most frequent third-party security gaps:
- Unpatched Servers and Software – Many third-party providers fail to promptly apply security updates or patches. Outdated systems with known vulnerabilities are “low-hanging fruit” for attackers, providing an easy entry point if left unpatched. Ensuring vendors have rigorous patch management is critical, as unpatched software has been a factor in numerous breaches.
- Compromised User Credentials – Weak or reused passwords, and a lack of multi-factor authentication, make it easy for attackers to steal or guess login credentials. Phishing of vendor employees can also yield valid credentials. If an attacker obtains a vendor’s VPN or application password, they may gain direct access to your data. Requiring strong authentication and monitoring for stolen credentials are vital steps for both you and your partners.
- Unprotected Web Assets – Third parties often host web portals, APIs, or cloud storage for your organisation’s data. If those web assets are not properly secured – for instance, an open database, misconfigured cloud bucket, or vulnerable web application – attackers can find and exploit them. Any internet-facing system of a supplier should be hardened and monitored. Lack of basic web/app security on the vendor side has led to sensitive data leaks in many cases.
- Inadequate Data Protection (At Rest and In Transit) – If a vendor is storing your company’s data, is that data encrypted and protected both in storage and during transmission? In many third-party breaches, sensitive data was found stored in plaintext or without proper encryption, making it easy for criminals to harvest. Ensuring partners encrypt data at rest, use secure protocols for data in transit, and implement strong access controls can mitigate this gap. Without such measures, a breach at the third party can expose confidential information in clear text.
- Weak Network Security Controls – This gap includes poor internal security architecture at the vendor: e.g. firewalls left open, default or weak configurations in VPNs and network devices, or lack of network segmentation. If a supplier’s network is not hardened, an attacker who breaches them can move laterally or even tunnel into your connection with them. “Inadequate virtual security” on the vendor side (insufficient firewalling, insecure remote access, etc.) puts your entire integration at risk. Organisations should be asking partners about their network security measures and requiring certain baseline controls.
- Insufficient Monitoring and Incident Response – Often third parties lack robust detection and response capabilities. They might not quickly notice a breach, giving attackers ample dwell time. Or they have poor backup practices and no effective recovery plan, which is especially disastrous in ransomware scenarios. If a vendor is hit by malware but hasn’t prepared (e.g. offline backups, incident response plan), the impact on your operations can be prolonged and severe. Vendors should be required to maintain an incident response plan and notify you promptly of any breach. Preparation – such as regular security training for vendor staff and tested response procedures – is key to limiting damage.
All the above gaps are alarmingly common. When onboarding or auditing third-party providers, these are areas to evaluate closely. Closing these security gaps will significantly reduce the risk that a partner’s weaknesses turn into your incident
Bringing Third-Party Risk Into Your Security Posture
For a modern organisation, third-party risk is part and parcel of overall cybersecurity risk. It must be considered an integral component of your security posture, not an afterthought. This means extending your security governance to include vendors and suppliers: performing due diligence before engaging them, setting security requirements in contracts, monitoring their security reports or certifications, and periodically reassessing their risk profile. In practice, effective third-party risk management might involve questionnaires, audits, or using third-party risk rating services – as well as fostering open communication so that partners alert you to issues.
Crucially, internal security teams should collaborate with procurement and legal departments to ensure that security is a factor in choosing third-party providers and that appropriate clauses (for incident notification, data handling, etc.) are in place. Continuous monitoring is ideal; risks can change over time (for example, a vendor might fall behind on patches or suffer a staff change that impacts security). Incorporating third-party scenarios into your own incident response plans is also wise – how would you respond if a critical supplier were breached? Plan for contingencies such as a sudden loss of a vendor’s service or a data leak originating from a partner.
Third-party risks are real and growing, and they cannot be ignored. Security leaders must treat the security of partners with the same seriousness as internal security. As one industry expert put it, the attack surface now extends to your entire vendor network – a breach at a third party can disrupt your business and damage customer trust just as surely as a breach in your own systems. By shedding the assumption that “someone else is handling security” and proactively addressing third-party risk, organisations can significantly strengthen their overall cyber resilience.
The question is no longer “Are third-party risks a growing problem?” – the evidence clearly says yes – but rather, “How prepared is your organisation to manage that problem?”