How Companies Can Manage Third-Party Vendor Risk

Uploaded on 2025-04-14 in TECHNOLOGY--Resilience, FREE TO VIEW

From payroll to file sharing to HR, virtually every organisation works with third party vendors. However, it only takes a single vendor to act as a vector for cyberattack – exploited by hackers as gateways to gain access to entire digital supply chains.

In fact, a third of all insurance claims on Resilience’s portfolio last year were due to vendor-related incidents.

Considering the fact that these third-party vendors are essential to doing business, it’s not possible to cut them out in order to eliminate the risk. But we do need ageneral reorientation of cybersecurity towards managing third-party risk – something that company boards and IT professionals can achieve in a number of ways.

The Third-Party Threat

A connection with a vendor acts as a gateway for risks, such as ransomware and operational outages, to be passed down the supply chain. No matter how airtight a company’s own security posture is, it remains vulnerable to disruptions originating from its partners.

There have been numerous high-profile examples of a ‘domino effect’ whereby hackers, after exploiting a single point of cybersecurity weakness, are then able to wreak havoc on the entire digital supply chain, preying on its interdependence. Many of the last year’s most significant cyber incidents – including the ransomware attacks on Change Healthcare and CDK Global, as well as the CrowdStrike outage – caused major business interruptions, preventing organisations who used them from operating, in addition to exposing data.

Yet many organisations are not attuned to this threat. It is still generally assumed that cybersecurity can be defensive and reactive: maintain your own company’s security and respond to threats as they arise. Most organizations conduct due diligence when selecting third-party vendors but fail to continue monitoring for ongoing risks thereafter.

Despite awareness of these risks, businesses continue to experience significant outages. Our research, in partnership with YouGov, found that while 83% of leaders of the UK’s largest businesses claim to be familiar with their third-party vendor systems, nearly half (47%) suffered 12+ hour outages due to vendor breaches in the past year.

This gap in understanding underscores an urgent need for company leaders and IT departments to reorient their security efforts to respond to what is rapidly becoming the main cyber threat.

Proactivity Across The Digital Supply Chain

Organisations can take a number of concrete steps to adjust their security posture to the new threat landscape.

  • First, businesses should integrate vendor risk assessments with their risk management platforms. Systems like a centralised Risk Operation Centre can give IT professionals and company boards an instant view of vendor risk and other security alerts while, a comprehensive vendor risk report or snapshot can summarise an organisation’s publicly observable vulnerabilities.

This information then informs decisions like choice of vendors, cybersecurity investment, and cyber insurance spending.

  • Second, vendor risk assessment should become a continuous process. Currently the standard practice is to commission a single risk assessment of a vendor before deciding to purchase their services. But even if a vendor is known to be a reputable one with robust controls to protect their clients, there is no guarantee that these protocols will succeed in all instances – as the MOVEit saga illustrated.

Companies should therefore start to continuously monitor the vendors they are interfacing with for risk intelligence.

  • Third, companies should carry out more threat simulations. Companies can use ‘breach and attack’ simulations to test which parts of the digital supply chain bad actors will choose to exploit in order to gain access to the company.

Simulations like these are key in building a cyber risk profile for a company that can inform decisions on risk posture and tolerance, as well as investment.

A Change Of Mindset

Finally, there should also be a general change in mindset when it comes to cybersecurity. Because the surface area of attack is now so large, it’s almost inevitable that a business will experience some kind of cybersecurity incident.

As a result, companies should start to view cyber incidents in the age of third-party risk as simply a cost of doing business.

Rather than trying to ward off every attack, there should be a greater emphasis on mitigating the damage from attacks. Many companies are now choosing to seat their CISOs on their boards – involving them at all levels of the business to adapt to an age where cyberattacks are a routine cost. There should also be a new emphasis on risk quantification: a monetary value on the cyber risk a company faces, which can then inform investment and spending decisions.

The trend is clear: in the age of digital connectivity, a business’s cybersecurity is only as strong as its weakest vendor.

For better and for worse, the digital transformation means that no business can ever be siloed away from another for security purposes. But by taking concrete steps towards a more proactive security posture that treats cyber incidents as another running cost, businesses can adapt to the new reality. 

Vishaal ‘V8’ Hariprasad is Co-founder & CEO of Resilience

Image: Nico El Nino

You Might Also Read: 

Managing Dark Web Exposure In 2025:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« North Korean Hackers For Hire
Telegram Fined For Failing To Remove 'Extremist Content' »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CNCERT/CC

CNCERT/CC

CNCERT is the national Computer Network Emergency Response Technical Team / Coordination Center of China.

Backup Systems

Backup Systems

Backup Systems is a leading backup and disaster recovery systems provider across the UK.

STMicroelectronics

STMicroelectronics

ST is a global semiconductor leader delivering intelligent and energy-efficient products and solutions that power the electronics at the heart of everyday life.

InstaSafe Technologies

InstaSafe Technologies

InstaSafe®, a Software Defined Perimeter based (SDP) one-stop Secure Access Solution for On-Premise and Cloud Applications.

Cythereal

Cythereal

Cythereal is the leader in predicting and preventing advanced malware attacks. Security Automation for the Overwhelmed Administrator.

PNGCERT

PNGCERT

PNGCERT is the national Computer Emergency Response Team (CERT) for Papua New Guinea.

East Midlands Cyber Resilience Centre (EMCRC)

East Midlands Cyber Resilience Centre (EMCRC)

The East Midlands Cyber Resilience Centre is set up to support and help protect businesses across the region against cyber crime.

Wazuh

Wazuh

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

TatvaSoft

TatvaSoft

TatvaSoft is a custom software development company delivering business IT solutions and related services to customers across the globe.

Sure Valley Ventures

Sure Valley Ventures

Sure Valley Ventures is an entrepreneur led venture capital fund focused on helping software entrepreneurs grow and scale businesses that will have a global impact.

Advent One

Advent One

Advent One are recognised for solving intricate dilemmas, not only making technology work but building foundations that customers can grow upon in an effective and secure way.

StealthPath

StealthPath

StealthPath is focused on endpoint protection, securing the “implicit trust” vulnerabilities of current leading information security solutions.

Wavenet

Wavenet

Wavenet has grown from simple beginnings to become one of the UK’s market leaders in unified communications, business telephony, and Cyber Security solutions.

Mindcore Technologies

Mindcore Technologies

Mindcore provide cyber security services, managed IT services and IT consulting services to businesses in NJ, FL, and throughout the United States.

Rapifuzz

Rapifuzz

At Rapifuzz, our goal is to help organizations test and secure their APIs enabling trust, innovation and Seamless Secured Digital Experiences.

StackGen

StackGen

StackGen (formerly appCD) automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied.