Third Party Supplier Security: Are Your Vendors Safe?

Are Our Third Party Suppliers Secure?

Your third party suppliers probably aren’t as secure as you think they are. SecurityScorecard’s 2025 Global Third Party Breach Report found that at least 35.5% of all data breaches in 2024 originated from third party compromises. That’s not a minor risk you can ignore.

The numbers tell a stark story. But here’s what most organisations miss: the real figure is likely higher since many breaches aren’t disclosed or are mistakenly reported as internal incidents.

Verizon’s 2025 Data Breach Investigations Report shows breaches involving third parties jumped to 30%, double the previous year’s figure. The financial impact is equally sobering, with IBM’s 2025 Cost of a Data Breach Report showing third party vendor compromises cost an average of $4.91 million per incident.

Why Third Party Supplier Security Matters More Than Ever

Your security is only as strong as your weakest supplier. You can invest millions in firewalls, endpoint protection and staff training. But if the HVAC contractor you hired last year still has access to your network, or your payroll provider’s authentication is weak, you’re vulnerable.

And that’s exactly what happened to Ticketmaster in May 2024. Hackers accessed their systems through Snowflake, a third party cloud service provider, compromising 560 million customers’ personal and payment information. The breach occurred because Ticketmaster’s Snowflake account lacked multi-factor authentication, allowing stolen credentials to provide unfettered access.

Third party relationships have multiplied. The average company now manages 286 vendors, up from 237 in 2024. Each one represents a potential entry point for attackers. Learn more about third party risk management.

The Real Risks Hiding in Your Supply Chain

Data Access Without Visibility

Most organisations don’t know what data their suppliers can access. Your marketing automation platform might have read access to customer databases. Your cloud hosting provider stores sensitive financial records. Your IT support contractor can access email systems.

But here’s the catch: you probably don’t have complete visibility into how these suppliers secure that access. You sent them a security questionnaire two years ago during procurement, and that’s where your due diligence ended.

Fourth Party Threats

Your suppliers have suppliers. SecurityScorecard’s research shows that file transfer software was the top breach enabler in 2024, accounting for 14% of third party breaches. The Cleo software vulnerabilities exploited by the Cl0p ransomware group compromised over 66 companies, including major brands like Kellogg’s and Adidas.

These weren’t direct attacks on the companies. Attackers targeted the software their suppliers used, then pivoted to access the real targets.

The SaaS Integration Problem

Modern SaaS platforms connect directly to your core systems through OAuth tokens and API keys. An AI-powered calendar tool with “read only” access to your email can still expose confidential communications if compromised.

According to JPMorgan Chase’s 2025 open letter to suppliers, these integration patterns collapse authentication and authorisation into oversimplified interactions. You’re essentially creating single-factor trust between internet systems and private internal resources.

Compliance Gaps

Your organisation might be fully compliant with ISO 27001, SOC 2 and GDPR. But if your data processor in Bulgaria doesn’t meet the same standards, you’re still liable for the breach.

How to Actually Secure Your Third Party Relationships

Skip the annual questionnaire approach. It doesn’t work. By the time you review last year’s answers, the supplier’s security posture has changed.

Conduct Proper Due Diligence Before Signing

Best practice includes these essential checks:

Security controls verification: Request SOC 2 Type II reports, ISO 27001 certificates and recent penetration test results. Don’t accept a “yes” on a questionnaire. Verify with evidence.

Incident response capabilities: Ask suppliers to demonstrate their response plan. How quickly do they detect breaches? What’s their notification timeline? Who’s accountable?

Access management: Map exactly what data and systems the supplier will access. Require the principle of least privilege. If they don’t need write access, don’t grant it.

Subcontractor disclosure: Demand a complete list of fourth parties who will handle your data. Include contractual requirements for security standards that flow down the supply chain.

Implement Continuous Monitoring

Annual reviews are useless. You need real-time visibility into supplier security posture. Tools like SecurityScorecard, BitSight and UpGuard provide continuous monitoring of vendors’ external security posture based on observable evidence.

But automated monitoring only catches external signals. Best practice includes quarterly security reviews for critical suppliers, covering:

• Changes to security personnel or practices
• New cloud services or infrastructure migrations
• Recent security incidents or near-misses
• Compliance audit results

Enforce Contractual Security Requirements

Your contracts must include specific security obligations, not vague promises. Include clauses that require:

• Immediate breach notification (within 24 hours of discovery)
• Right to audit security controls with reasonable notice
• Security requirements for subcontractors
• Termination rights if security standards aren’t met
• Data deletion procedures when the relationship ends

And if a supplier won’t agree to reasonable security terms, that’s a red flag. Walk away.

Limit Access and Segregate Data

Apply the principle of least privilege ruthlessly. Your email marketing platform doesn’t need access to your entire customer database. Segment data and provide only what’s necessary for the specific service.

Use separate credentials for each supplier. Never share internal user accounts with third parties. Implement just-in-time access provisioning where possible, granting access only when needed and revoking it immediately after.

Plan for the Worst

Assume a supplier will be breached. Your incident response plan must include third party compromise scenarios. Document which suppliers have access to what data. Maintain current contact information for supplier security teams.

Test your response procedures. Run tabletop exercises that simulate a supplier breach. Can you quickly revoke access? Do you know how to contain the damage?

The Emerging Threats You’re Not Watching For

AI-Powered Supply Chain Attacks

Threat actors are using AI to identify vulnerable suppliers and automate exploitation. Microsoft Threat Intelligence reported in 2024 that Chinese state actors shifted tactics to target common IT solutions like remote management tools and cloud applications, using them as entry points to downstream customers.

The scale and sophistication of these attacks are increasing. Automated vulnerability scanning combined with AI-driven lateral movement means attackers can compromise dozens of organisations through a single supplier vulnerability.

Geopolitical Risk in the Supply Chain

Political instability affects supplier security. The Russia-Ukraine conflict highlighted how quickly suppliers in certain regions can become unavailable or compromised. Organisations must consider geopolitical risk as part of supplier security assessment.

Best practice includes maintaining vendor diversity across geographic regions for critical services. Don’t rely on a single supplier in a politically volatile area for services you can’t operate without.

Ransomware Groups Targeting Suppliers

SecurityScorecard’s research found that 41.4% of ransomware incidents had a third party component. Groups like Cl0p deliberately target file transfer solutions and other widely-used software because compromising one supplier gives them access to dozens or hundreds of victim organisations.

This is genuinely frightening. A single vulnerability in Cleo’s file transfer software allowed attackers to compromise 66+ companies in a matter of weeks. The efficiency from an attacker’s perspective is remarkable.

Third Party Risk: An Honest Assessment

Most organisations are flying blind on supplier security. They completed a questionnaire during procurement, checked a few compliance boxes and assumed everything was fine. That’s not risk management. That’s wishful thinking.

Here’s an honest assessment: if you can’t answer these three questions right now, you have a problem:

1. Which suppliers currently have access to your most sensitive data?
2. When were their security controls last verified (not self-attested)?
3. How quickly could you revoke all supplier access if you discovered a breach?

A zero-trust approach to supplier relationships is essential. Trust nothing by default. Verify everything continuously. Limit access ruthlessly. And plan for compromise, because it’s not if a supplier will be breached, it’s when.

The organisations that come through third party breaches with minimal damage are those that treated supplier security as seriously as internal security from day one. They built continuous monitoring, maintained least-privilege access and had tested incident response procedures.

Don’t wait for a breach to take supplier security seriously. By then, it’s too late.

What You Should Do Next

Start with a third party supplier security audit. Identify every third party with access to your data or systems. Map what they can access. Review when you last verified their security controls.

For critical suppliers (those handling sensitive data or providing essential services), initiate comprehensive security reviews within the next 30 days. For lower-risk suppliers, schedule reviews within 90 days.

Implement continuous monitoring tools to track supplier security posture. Set up automated alerts for significant security events affecting your suppliers.

Update supplier contracts to include robust security requirements. For existing contracts coming up for renewal, use that as an opportunity to strengthen security terms.

Contact Razorthorn Security if you need help building a comprehensive supplier security programme. We specialise in helping organisations identify, assess and manage third party cyber risk.

Frequently Asked Questions

How often should we conduct assessments on our third party supplier security?

The frequency depends on the supplier’s risk level and data access. Best practice is quarterly reviews for critical suppliers handling sensitive data, annual reviews for medium-risk suppliers and biennial reviews for low-risk vendors. But here’s the key: continuous automated monitoring should run between these manual assessments. SecurityScorecard’s research shows threats evolve constantly, so annual questionnaires alone won’t catch emerging risks.

What’s the difference between SOC 2 Type I and Type II, and which should we require?

SOC 2 Type I is a point-in-time assessment of controls. Type II tests those controls over a period (usually 6-12 months) to verify they’re operating effectively. Always require Type II. According to the 2025 DBIR, vulnerability exploitation made up roughly 90% of supply chain breaches. Type I tells you controls exist, but not if they work consistently. Type II provides evidence of operational effectiveness.

Should we treat cloud service providers differently from other third parties?

Yes. Cloud providers typically have much broader access to your data and infrastructure than traditional suppliers. Enhanced due diligence is essential for cloud providers, including reviewing their sub-processor agreements, data residency policies and breach notification procedures. IBM’s 2025 research shows cloud-related breaches cost an average of $4.44 million, partly because the blast radius is typically larger.

How can we manage fourth party risk when we don’t have direct relationships with our suppliers’ suppliers?

Include contractual requirements that your suppliers must maintain appropriate security standards for their subcontractors. Request an annual list of all subprocessors. For high-risk suppliers, negotiate the right to review or approve subcontractors before they’re engaged. SecurityScorecard found that fourth-party risks account for a growing share of breaches, so this isn’t optional anymore.

What should we do if a supplier refuses to complete our security questionnaire?

This is a negotiation, not a demand. If it’s a large, established supplier, they might have a standard security disclosure package instead of completing custom questionnaires. Review what they provide. If it’s adequate, accept it. But if a supplier flat-out refuses to provide any security information, that’s a massive red flag. Walk away. Any supplier handling your data who won’t discuss their security practices is too risky to work with.

Are third party security frameworks like ISO 27001 enough to trust a supplier?

No. Certifications prove controls exist at a point in time. They don’t guarantee those controls prevent breaches. The 2024 Ticketmaster breach affected over 560 million customers despite the company maintaining various security certifications. Use frameworks as a baseline requirement, not the end of your due diligence. Best practice combines certification verification with continuous monitoring and periodic hands-on security reviews.

How quickly should suppliers notify us of a security incident?

Industry best practice is within 24 hours of discovery. But here’s the problem: many supplier contracts don’t specify this. Your contracts should require notification within 24 hours of incident discovery, with a preliminary impact assessment within 72 hours. According to IBM’s research, faster notification correlates with lower breach costs because it enables quicker containment.

What security controls should we require for suppliers accessing our data remotely?

At minimum: multi-factor authentication, endpoint security (antivirus, EDR), encrypted connections, privileged access management and logging/monitoring of all access. For suppliers with elevated privileges, add requirements for privileged access workstations, just-in-time access provisioning and session recording. Verizon’s 2025 DBIR found that 88% of system intrusion breaches involved stolen credentials, so authentication security is critical.