vCISO

The Silent Crisis of Third-Party Breaches

Written by DATAWALL | May 1, 2025 12:30:00 PM

In a world where companies are building more digital bridges than ever before, it’s not your firewall that’s failing, it’s your vendor’s. According to the 2025 Verizon Data Breach Investigations Report (DBIR), third-party breaches now account for nearly 30% of all confirmed data breaches, a trend that’s been accelerating over the past five years.

But here’s what really stings: these incidents are often out of your direct control. One partner’s weak access policy, a forgotten cloud storage bucket, or an unpatched system can invite attackers into your environment without a single line of your own code being compromised.

The MOVEit Transfer data breach of 2023? It wasn’t an isolated incident. Over 2,000 organizations were impacted, from universities to government agencies, all because of a vulnerability in a third-party file transfer tool. A single software flaw rippled across the digital supply chain with a magnitude few were prepared to face.

Let’s Pause, How Well Do You Know Your Vendors?

When was the last time you asked your third-party software provider about their patching cadence? Do you know which of your vendors have access to PII, financial data, or your internal dashboards? If your gut answer is, “I think so,” you’ve already lost visibility.

Most organizations today rely on hundreds of third-party providers from SaaS tools and MSPs to cloud platforms and payment processors. And yet, according to DBIR, less than 30% of breached organizations had visibility into their vendor's security practices.

Why Are Supply Chain Breaches So Hard to Contain?

Let’s break down the pain points:

  • Transitive Trust: A vendor trusted by your business is, by extension, trusted by your data even if you’ve never vetted them.
  • Limited Transparency: Many third-party providers do not openly share their security posture.
  • Patch Lag: Delays in vulnerability disclosure and patching timelines can create large windows of exposure.
  • Inconsistent Monitoring: Most organizations don’t have tools in place to continuously monitor third-party risks.

So, What Can You Do About It?

You don’t need 100% control, you need structured visibility and proactive governance. Here’s how leading frameworks like NIST, ISO and CIS recommend tightening third-party risk:

  • Establish contract-level security expectations: Mandate minimum security requirements and incident notification timelines in all vendor agreements.
  • Clause-driven governance: Address ownership, confidentiality, and access control in your procurement processes.
  • Maintain a list of all third-party service providers, including the data they access and systems they connect to.
  • Tier & Assess your vendors: Assess provider security before onboarding and apply higher scrutiny to those who access critical data or services.
  • Implement continuous monitoring: Go beyond annual assessments, build dashboards for real-time monitoring of vendor risk.
  • Security verification: Conduct supplier audits and validate security certifications like SOC 2, ISO 27001.
  • Ensure contractual agreements include notification timelines for security incidents and adherence to baseline controls.

Practical Steps for Any Size Business

No matter your size or sector, these steps can help you reduce the blast radius of third-party risks:

  • Build a Vendor Inventory: Create and maintain a centralised list of all third-party tools and partners with access to your systems or data.
  • Use Standardised Risk Questionnaires: Leverage widely accepted tools or your own NIST/ISO-based questionnaire to assess vendor maturity.
  • Limit Data Access: Apply the principle of least privilege to vendors, segment networks and restrict access based on business necessity.
  • Perform Periodic Reviews: Reassess vendors at least annually or when critical events (like mergers, breaches, or service changes) occur.
  • Prepare for Breach Scenarios: Run tabletop exercises that simulate a third-party breach. Ask: how fast can you detect it, respond to it, and inform your stakeholders?

Quick Win: Build Your Own “Vendor Risk Scorecard”

Here’s a 3-point rating scale you can use today:

Vendor Access Level Has Security Certifications Has Breach Clauses in Contract Score
CRM Tool Tier 1 SOC 2 Type II Yes 3/3
HR SaaS Tier 2 No No 1/3
IT MSP Tier 1 ISO 27001 Partial 2/3

 

What You Should Be Asking Right Now

1. Do we know all third parties with access to our sensitive data or systems?

2. When was the last time we reviewed their security posture?

3. What would we do if one of our critical vendors got breached tomorrow?

It’s Not If, It’s Who

In today’s interconnected digital ecosystem, you’re only as secure as your weakest vendor. As the Verizon DBIR reminds us, the era of isolated breaches is over. Attackers go after the supply chain because it’s wide, fragmented, and often unguarded.

Your job? Make it harder for them. Build verification and demand visibility because in this new normal, your vendor’s breach is your business.
View full post