How Companies Can Manage Third-Party Vendor Risk

Uploaded on 2025-04-14 in TECHNOLOGY--Resilience, FREE TO VIEW

From payroll to file sharing to HR, virtually every organisation works with third party vendors. However, it only takes a single vendor to act as a vector for cyberattack – exploited by hackers as gateways to gain access to entire digital supply chains.

In fact, a third of all insurance claims on Resilience’s portfolio last year were due to vendor-related incidents.

Considering the fact that these third-party vendors are essential to doing business, it’s not possible to cut them out in order to eliminate the risk. But we do need ageneral reorientation of cybersecurity towards managing third-party risk – something that company boards and IT professionals can achieve in a number of ways.

The Third-Party Threat

A connection with a vendor acts as a gateway for risks, such as ransomware and operational outages, to be passed down the supply chain. No matter how airtight a company’s own security posture is, it remains vulnerable to disruptions originating from its partners.

There have been numerous high-profile examples of a ‘domino effect’ whereby hackers, after exploiting a single point of cybersecurity weakness, are then able to wreak havoc on the entire digital supply chain, preying on its interdependence. Many of the last year’s most significant cyber incidents – including the ransomware attacks on Change Healthcare and CDK Global, as well as the CrowdStrike outage – caused major business interruptions, preventing organisations who used them from operating, in addition to exposing data.

Yet many organisations are not attuned to this threat. It is still generally assumed that cybersecurity can be defensive and reactive: maintain your own company’s security and respond to threats as they arise. Most organizations conduct due diligence when selecting third-party vendors but fail to continue monitoring for ongoing risks thereafter.

Despite awareness of these risks, businesses continue to experience significant outages. Our research, in partnership with YouGov, found that while 83% of leaders of the UK’s largest businesses claim to be familiar with their third-party vendor systems, nearly half (47%) suffered 12+ hour outages due to vendor breaches in the past year.

This gap in understanding underscores an urgent need for company leaders and IT departments to reorient their security efforts to respond to what is rapidly becoming the main cyber threat.

Proactivity Across The Digital Supply Chain

Organisations can take a number of concrete steps to adjust their security posture to the new threat landscape.

  • First, businesses should integrate vendor risk assessments with their risk management platforms. Systems like a centralised Risk Operation Centre can give IT professionals and company boards an instant view of vendor risk and other security alerts while, a comprehensive vendor risk report or snapshot can summarise an organisation’s publicly observable vulnerabilities.

This information then informs decisions like choice of vendors, cybersecurity investment, and cyber insurance spending.

  • Second, vendor risk assessment should become a continuous process. Currently the standard practice is to commission a single risk assessment of a vendor before deciding to purchase their services. But even if a vendor is known to be a reputable one with robust controls to protect their clients, there is no guarantee that these protocols will succeed in all instances – as the MOVEit saga illustrated.

Companies should therefore start to continuously monitor the vendors they are interfacing with for risk intelligence.

  • Third, companies should carry out more threat simulations. Companies can use ‘breach and attack’ simulations to test which parts of the digital supply chain bad actors will choose to exploit in order to gain access to the company.

Simulations like these are key in building a cyber risk profile for a company that can inform decisions on risk posture and tolerance, as well as investment.

A Change Of Mindset

Finally, there should also be a general change in mindset when it comes to cybersecurity. Because the surface area of attack is now so large, it’s almost inevitable that a business will experience some kind of cybersecurity incident.

As a result, companies should start to view cyber incidents in the age of third-party risk as simply a cost of doing business.

Rather than trying to ward off every attack, there should be a greater emphasis on mitigating the damage from attacks. Many companies are now choosing to seat their CISOs on their boards – involving them at all levels of the business to adapt to an age where cyberattacks are a routine cost. There should also be a new emphasis on risk quantification: a monetary value on the cyber risk a company faces, which can then inform investment and spending decisions.

The trend is clear: in the age of digital connectivity, a business’s cybersecurity is only as strong as its weakest vendor.

For better and for worse, the digital transformation means that no business can ever be siloed away from another for security purposes. But by taking concrete steps towards a more proactive security posture that treats cyber incidents as another running cost, businesses can adapt to the new reality. 

Vishaal ‘V8’ Hariprasad is Co-founder & CEO of Resilience

Image: Nico El Nino

You Might Also Read: 

Managing Dark Web Exposure In 2025:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« North Korean Hackers For Hire
Telegram Fined For Failing To Remove 'Extremist Content' »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Titania

Titania

Titania provide network security and compliance software. Find your Network Security gaps before hackers do with our security & compliance tools.

LexisNexis Risk Solutions

LexisNexis Risk Solutions

LexisNexis Risk Solutions provides technology solutions for Anti-Money Laundering, Fraud Mitigation, Anti-Bribery and Corruption, Identity Management, Tracing and Investigation.

DataLocker

DataLocker

DataLocker offers both hardware based external storage and software based cloud storage encryption solutions.

evoila

evoila

evoila GmbH is one of the leading providers in consulting, analysis, implementation and management of cloud infrastructure.

BlueVoyant

BlueVoyant

BlueVoyant's Cyber Defense Platform is security operations platform that provides real-time threat monitoring for networks, endpoints, and supply chains.

aDolus Technology

aDolus Technology

aDolus delivers a robust solution for safeguarding against counterfeit or malicious software and firmware in mission-critical systems.

Zeusmark

Zeusmark

Zeusmark are a digital brand security company. We enable companies to successfully defend their brands, revenue and consumers online.

Evalian

Evalian

Evalian is a data protection services provider. Working with organisations of all sizes, we specialise in Data Protection, GDPR, ISO Certification & Information Security.

Quantum Armor

Quantum Armor

Quantum Armor is a next-gen cyber security monitoring platform that allows you to continuously stay aware of your security posture, and proactively spot trends, vulnerabilities and potential attacks.

Sentor Managed Security Services

Sentor Managed Security Services

Sentor Managed Security Services is a cybersecurity company that enables organizations to exist in a digitally connected world.

Blacksands

Blacksands

Blacksands is a leader in network architecture, identity & services management, threat analysis, industrial IoT architecture, and invisible dynamic networks.

Salus Cyber

Salus Cyber

Salus is a provider of world-class cyber security services, enabling our clients to identify and manage their cyber risks proactively and effectively.

SequelNet

SequelNet

SequelNet is an emerging MSP, providing 360° business IT solutions and consulting services.

TRM Labs

TRM Labs

TRM enables risk management and compliance for a global community of financial institutions, cryptocurrency businesses and government agencies.

SektorCERT

SektorCERT

SektorCERT is the cybersecurity center for the critical infrastructure sectors in Denmark. We help detect and handle when critical infrastructure is exposed to cyber attacks.

Reality Defender

Reality Defender

Reality Defender stops deepfakes before they become a problem. Our proprietary deepfake and generative content fingerprinting technology detects video, audio, and image deepfakes.