How Companies Can Manage Third-Party Vendor Risk

Uploaded on 2025-04-14 in TECHNOLOGY--Resilience, FREE TO VIEW

From payroll to file sharing to HR, virtually every organisation works with third party vendors. However, it only takes a single vendor to act as a vector for cyberattack – exploited by hackers as gateways to gain access to entire digital supply chains.

In fact, a third of all insurance claims on Resilience’s portfolio last year were due to vendor-related incidents.

Considering the fact that these third-party vendors are essential to doing business, it’s not possible to cut them out in order to eliminate the risk. But we do need ageneral reorientation of cybersecurity towards managing third-party risk – something that company boards and IT professionals can achieve in a number of ways.

The Third-Party Threat

A connection with a vendor acts as a gateway for risks, such as ransomware and operational outages, to be passed down the supply chain. No matter how airtight a company’s own security posture is, it remains vulnerable to disruptions originating from its partners.

There have been numerous high-profile examples of a ‘domino effect’ whereby hackers, after exploiting a single point of cybersecurity weakness, are then able to wreak havoc on the entire digital supply chain, preying on its interdependence. Many of the last year’s most significant cyber incidents – including the ransomware attacks on Change Healthcare and CDK Global, as well as the CrowdStrike outage – caused major business interruptions, preventing organisations who used them from operating, in addition to exposing data.

Yet many organisations are not attuned to this threat. It is still generally assumed that cybersecurity can be defensive and reactive: maintain your own company’s security and respond to threats as they arise. Most organizations conduct due diligence when selecting third-party vendors but fail to continue monitoring for ongoing risks thereafter.

Despite awareness of these risks, businesses continue to experience significant outages. Our research, in partnership with YouGov, found that while 83% of leaders of the UK’s largest businesses claim to be familiar with their third-party vendor systems, nearly half (47%) suffered 12+ hour outages due to vendor breaches in the past year.

This gap in understanding underscores an urgent need for company leaders and IT departments to reorient their security efforts to respond to what is rapidly becoming the main cyber threat.

Proactivity Across The Digital Supply Chain

Organisations can take a number of concrete steps to adjust their security posture to the new threat landscape.

  • First, businesses should integrate vendor risk assessments with their risk management platforms. Systems like a centralised Risk Operation Centre can give IT professionals and company boards an instant view of vendor risk and other security alerts while, a comprehensive vendor risk report or snapshot can summarise an organisation’s publicly observable vulnerabilities.

This information then informs decisions like choice of vendors, cybersecurity investment, and cyber insurance spending.

  • Second, vendor risk assessment should become a continuous process. Currently the standard practice is to commission a single risk assessment of a vendor before deciding to purchase their services. But even if a vendor is known to be a reputable one with robust controls to protect their clients, there is no guarantee that these protocols will succeed in all instances – as the MOVEit saga illustrated.

Companies should therefore start to continuously monitor the vendors they are interfacing with for risk intelligence.

  • Third, companies should carry out more threat simulations. Companies can use ‘breach and attack’ simulations to test which parts of the digital supply chain bad actors will choose to exploit in order to gain access to the company.

Simulations like these are key in building a cyber risk profile for a company that can inform decisions on risk posture and tolerance, as well as investment.

A Change Of Mindset

Finally, there should also be a general change in mindset when it comes to cybersecurity. Because the surface area of attack is now so large, it’s almost inevitable that a business will experience some kind of cybersecurity incident.

As a result, companies should start to view cyber incidents in the age of third-party risk as simply a cost of doing business.

Rather than trying to ward off every attack, there should be a greater emphasis on mitigating the damage from attacks. Many companies are now choosing to seat their CISOs on their boards – involving them at all levels of the business to adapt to an age where cyberattacks are a routine cost. There should also be a new emphasis on risk quantification: a monetary value on the cyber risk a company faces, which can then inform investment and spending decisions.

The trend is clear: in the age of digital connectivity, a business’s cybersecurity is only as strong as its weakest vendor.

For better and for worse, the digital transformation means that no business can ever be siloed away from another for security purposes. But by taking concrete steps towards a more proactive security posture that treats cyber incidents as another running cost, businesses can adapt to the new reality. 

Vishaal ‘V8’ Hariprasad is Co-founder & CEO of Resilience

Image: Nico El Nino

You Might Also Read: 

Managing Dark Web Exposure In 2025:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« North Korean Hackers For Hire
Telegram Fined For Failing To Remove 'Extremist Content' »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

HID Global

HID Global

HID Global is a trusted leader in products, services and solutions related to the creation, management, and use of secure identities.

One Identity

One Identity

One Identity delivers identity governance, access management, and privileged account management solutions that facilitate and secure your digital transformation.

Prevalent

Prevalent

Prevalent takes the pain out of third-party risk management. Companies use our services to eliminate the security and compliance exposures that come from working with vendors and suppliers.

Riskified

Riskified

Riskified is a leading eCommerce fraud-prevention company, trusted by hundreds of global brands – from luxury fashion houses and retail chains, to gift card and ticket marketplaces.

SparkCognition

SparkCognition

SparkCognition’s AI-powered solutions enhance cybersecurity, identify and prevent equipment failures before they happen, and provide prescriptive intelligence for maintaining your most critical assets

CERT NZ

CERT NZ

CERT NZ supports businesses, organisations and individuals affected by cyber security incidents, and provide trusted and authoritative information and advice.

Ackcent Cybersecurity

Ackcent Cybersecurity

Ackcent's mission is to help our clients to protect their critical digital assets by providing them with a portfolio of specialised professional services.

N8 Identity

N8 Identity

N8 Identity helps organizations realize the vision of Autonomous Identity Governance™ with AI-driven Identity solutions.

HancomWITH

HancomWITH

Hancomwith is an information security company. We provide optimized blockchain solutions in areas including next-generation authentication, security and digital asset transaction.

Clear Thinking Solutions

Clear Thinking Solutions

Clear Thinking is an IT Solutions company specialising in secure & compliant technical services.

Intracom Telecom

Intracom Telecom

Intracom Telecom is a global telecommunication systems & solutions vendor offering a complete range of professional services and solutions including Information Security.

Auvik Networks

Auvik Networks

Auvik is easy-to-use cloud-based networking management and monitoring software - true network visibility and control without the hassle.

Charles IT

Charles IT

Charles IT is your friendly, no-nonsense IT team focused on helping companies make their technology work for them. We focus on building relationships that deliver results.

Vertek

Vertek

Vertek is a leading provider of operations consulting, end-to-end business process outsourcing, business intelligence, software applications and managed cybersecurity solutions.

WPScan

WPScan

With WPScan, you'll be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes.

HeroDevs

HeroDevs

HeroDevs is the trusted leader in providing secure, long-term support for deprecated open-source software.