Third-Party and Vendor Risk: The Quiet Way Companies Get Breached

A growing share of serious breaches do not start inside the company that gets the headline. They start inside a vendor. A software supplier, a managed service, a small partner with access to your systems or your data. The attacker walks in through a door you opened on purpose, because you trusted the company on the other side of it. Third-party risk is the quiet way modern organizations get breached, and most are managing it with a questionnaire and a prayer.

You inherited their security whether you meant to or not

Every vendor you connect to becomes part of your attack surface. When you grant a partner access to your network, your data, or your customers, you have effectively adopted their security posture, including the parts you never see. Your defenses can be excellent and still fail because a vendor three steps removed from your core business had a weak link. The painful truth is that your security is now the average of everyone you depend on.

Why the standard approach fails

Most vendor risk programs reduce to a spreadsheet of questionnaires collected once at onboarding and never looked at again. There are two problems with that. First, a questionnaire is a snapshot of what a vendor claims on one day, not what is true on every day after. Second, risk is not evenly distributed. The program that treats the vendor with deep access to patient records the same as the vendor that supplies office snacks is wasting effort on one and underweighting the other.

A vendor questionnaire tells you what a company was willing to write down once. It does not tell you whether they will be the reason you make the news.

What better looks like

• Tier by access, not by spend. Rank vendors by what they can touch. The risk lives in access to data and systems, not in the size of the invoice.
• Right-size the scrutiny. Apply deep diligence to the handful of vendors who could genuinely hurt you, and a light touch to the rest. Treating everyone the same guarantees you under-examine the dangerous ones.
• Make it continuous. A vendor's security changes over time. Onboarding diligence is a starting point, not a verdict.
• Put it in the contract. Breach notification timelines, access limits, and security expectations belong in writing, before you need them.
• Plan for their failure. Assume a critical vendor will have an incident, and know in advance how you would respond and contain it.

The leadership question

The board-level question is simple and uncomfortable. If our most critical vendor were breached tomorrow, would we know, how fast, and what could we do about it? Most organizations cannot answer cleanly, which is exactly why this risk keeps producing surprises. Treating vendor risk as a connected part of your security program, rather than a procurement formality, is one of the highest-leverage moves a leader can make. It ties directly into why most cybersecurity programs fail.