The Growing Third-Party Security Threat: What Businesses Need to Know

Your organization's security is only as strong as that of your weakest vendor. The 2025 Verizon Data Breach Investigations Report (DBIR) reveals a concerning trend: third-party involvement in data breaches has doubled from 15% to 30% in just one year . This dramatic increase signals that attackers are increasingly targeting the complex web of business relationships that modern companies rely on.

Third-party security risks come in various forms, but they typically fall into three main categories:

1. Software supply chain vendors: These are the companies that provide the applications and systems your business depends on. When vulnerabilities exist in their products, your organization becomes exposed.
2. Data hosting providers: Cloud platforms, SaaS providers, and other services that store your data represent significant risk when they lack proper security controls.
3. Connected vendors: Any third party with direct network access to your systems introduces potential entry points for attackers.

The motivation for tracking this metric stemmed from vulnerabilities in software and the impact of zero-days in products like MOVEit. When fundamental flaws enter your supply chain due to defective materials or machinery, your organization would typically address this with the supplier. In cybersecurity, however, these relationships are often complex and the responsibility for security can be unclear.

Real-World Examples and Their Impact

The Snowflake Breach

One of the most significant third-party incidents in 2024 involved Snowflake. While Snowflake itself wasn't breached in the traditional sense, financially motivated actors accessed the platform using stolen credentials. The specific vulnerability—lack of mandatory multifactor authentication—had existed for some time, but attackers only began exploiting it at scale in April 2024.

Analysis of the breach found approximately 165 victim organizations. About 80% of the accounts leveraged by threat actors had prior credential exposure, either collected by information-stealing malware or left in public code repositories. This incident highlights how one vendor's security decisions can impact hundreds of their customers.

Business Interruption Events

Recent breaches at service providers like Change Healthcare, CDK Global, and Blue Yonder didn't just expose data—they caused substantial operational disruptions for companies in Healthcare, Retail, and Accommodation and Food Services industries. When core business processes rely on third-party services, a security incident affecting that provider can bring your operations to a standstill.

The CrowdStrike disruption in July 2024 carried an innocent mistake rather than a malicious payload, but it still caused significant damage—grounding planes worldwide and disrupting financial services. This incident demonstrates how even non-malicious issues in third-party services can create substantial business impact.

Protecting Your Business from Third-Party Risks

To defend against these growing threats, businesses need comprehensive strategies focused on third-party risk management:

For Software Supply Chain Vendors

Traditional recommendations around vulnerability management and network segmentation remain essential. If you can't patch fast enough—and realistically, no one can keep pace with today's threats—keeping devices away from the open internet helps significantly. However, for edge devices like VPNs and firewalls, this approach presents obvious challenges.

For Vendors Hosting Your Data

Focus on evaluating how secure and resilient their hosting and operational environments are. While risk questionnaires play a role in vendor assessment, solutions in Third-Party Cyber Risk Management (TPCRM) that analyze internal security controls can provide more quantifiable insights.

For Vendors That Connect to Your Environment

Implement comprehensive network segmentation and network access control for direct connections. Strict authentication policies—including password complexity requirements, API key aging, and multifactor authentication—may need to be even more extensive than your employee-focused policies.

Building a Resilient Vendor Management Program

Sitting around waiting to see if your organization "won the vendor lottery" that day isn't a viable strategy. Instead, make positive security outcomes from vendors a critical component of your procurement process, and develop plans to address repeat offenders.

The most effective approach combines several key elements:

1. Vendor security assessment: Evaluate security practices before entering into agreements
2. Contractual requirements: Include specific security obligations in contracts
3. Ongoing monitoring: Regularly verify vendor compliance with security standards
4. Incident response planning: Develop procedures for responding to third-party breaches
5. Exit strategies: Create plans for quickly transitioning away from compromised vendors

Effective security in our connected world requires collaboration. While holding vendors accountable is part of the equation, transparent information sharing helps organizations build structured frameworks for threat modeling and make better decisions for safeguarding their data and customers.

Conclusion: A Shared Security Responsibility

The dramatic rise in third-party security incidents highlights the interconnected nature of business security today. Your organization's security perimeter now extends far beyond your walls to encompass every vendor, partner, and service provider you rely on.

By implementing rigorous vendor security assessments, maintaining continuous monitoring, and developing robust incident response plans, you can reduce your exposure to third-party risks while continuing to leverage the benefits of these essential business relationships.

Remember that effective security is ultimately a collaborative effort. Building strong security partnerships with your vendors creates a more resilient ecosystem that benefits everyone—except the attackers.

Learn More About Sentry and Cyber Security