As technology evolves, it introduces new vectors the “bad actors” can utilize to achieve their goals. However, some thorns in the side remain the same. These include third-party exposure and credential abuse. Businesses rely upon various third parties, but giving them access to organizational resources poses its own risks. This risk includes access for employees that may not have the same levels of cyber hygiene. In addition, today’s software uses plenty of third-party tools, which can allow attackers to intrude through these tools, as was witnessed in the infamous SolarWinds and now Marks & Spencer breaches. Any type of breach is costly to victims, losing money and reputation as well. Just talking about financial costs, cost of a breach has risen from $4.24 million in 2004 to $4.87 million in 2025, as per IBM. In addition, as technology interdependency increases, the headaches caused by bad actors manipulating third-party and supply chains are set to increase manifold.
And this problem is expected to continue and worsen. As organizations expand, so does their dependence on third parties. These span a large area from software libraries to hardware assets, and each of them are potential vectors for cyberattacks. How? Well, the addition of new elements into organizational IT infrastructure makes them more complex-er. This complexity poses the problem of less visibility in users’ IT infrastructure. These blind spots can be used to launch attacks. In the case of the SolarWinds breach, the attackers penetrated SolarWinds and managed to install remote access tools in the software updates, which allowed them access to big targets like NATO, US and UK Government, and the EU Parliament. Adidas is the latest victim of a breach through a third-party customer service provider. However, software is just one of the many types of third-party vulnerabilities. The attacks can also be launched through hardware and firmware updates, and third-party contractors and vendors with privileged access. There is also the problem of inadequate measures at organization level against such attacks, which has been explained by my colleague Sofia Ali HERE (insert hyperlink).
Of course, the key vector still remains third-party access, and it remains a burgeoning problem. The bigger the company, the more complex-er and bigger the vendor network. This complexity also hampers visibility. Because the organization can get visibility and control over vendors directly linked to it. However, it will not necessarily have any control over the third parties engaged by the third parties directly connected to the organization. This, coupled with inadequate training in cyber hygiene to the most important vector, human, proves costly. In addition, the organization may possess insufficient risk rating mechanism. Another risk is of limited integration of third-party risk into the organization’s security posture. The increasingly stringent data control regulations also pose the challenge of checklist distraction and fatigue. There are strong chances that users may get fixated on ensuring compliance at all costs at the cost of ignoring real-life readiness in case of cyber incidents. These factors underline the importance of effective Third-Party Risk Management (TPRM). Now that we have listed out the risks, let us talk about the efforts to contain them.
Let us start with the laws. The risk arising out of third parties is now being acknowledged and regulations are being laid down across the world. Some of these key measures include frameworks like NIST’s Cyber Supply Chain Risk Management (C-SCRM), ISO/IEC 27036, GDPR’s data processor clauses, and the SEC’s new cyber incident disclosure rules.
C-SCRM acknowledges the distributed and interconnected nature of ICT/OT product and service supply chains and helps users identify, assess, and mitigate the associated risks. NIST conducts research, provides resources, and convenes stakeholders to help organizations manage these risks. The framework covers end-to-end life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction).
ISO/IEC 27036 specifically focuses on identifying and managing information security risk associated with third parties. The standard encourages security-by-design thinking in the procurement and vendor onboarding processes and promotes a risk-based approach to managing supplier interactions.
GDPR is already known as a rigorous data protection standard. It helps alleviate third party risk by placing obligations about sharing data. Organizations must conduct due diligence to ensure adequate data protection and information about any breaches should be disclosed immediately.
The SEC has made incident reporting within four days mandatory. It also requires organizations to provide detailed information regarding their cybersecurity risk management and governance.
To sum it up, third parties continue to be a menace. However, efforts are also being taken to reduce the risk.
Sanket Kadam, analyst at QKS group, sums it up: “Third-party breaches are no longer edge cases, they’re embedded in the modern attack surface. Avoiding and neutralizing these threats requires continuous third-party risk assessment, deep visibility into downstream vendor ecosystems, and strict enforcement of least-privilege access. Just-in-Time (JIT) privilege provisioning is critical. It ensures third parties get access only when needed, for the minimum time required, drastically reducing the attack window. True resilience comes from moving beyond checkbox compliance to a real-time, adaptive security posture across the entire digital trust chain.”