Here’s a question that should keep you up at night: How many third-party vendors have access to your company’s most sensitive data right now? Not the ones you remember signing contracts with, but all of them. The payment processor, the email service, the backup software, the IT support team, the cloud infrastructure provider. I’d bet you can’t name them all off the top of your head.
- Supply Chain Attacks Are Out of Control
- MOVEit Transfer: When One Vulnerability Breaks 1,000+ Companies
- Okta: When Your Identity Provider Becomes Your Vulnerability
- Kaseya: The Ransomware That Came Through Your Vendor
- ConnectWise: Yet Another RMM Platform, Yet Another Disaster
- Why Vendors Make Perfect Targets
- They Have All the Keys to Your Kingdom
- You Don’t Even Know They’re There
- Compliance Becomes Someone Else’s Problem
- Their Risk Is Your Risk—Times Ten
- How Attackers Actually Exploit This
- They Impersonate Your Vendor to Phish Your People
- They Find Zero-Days in Vendor Software
- They Steal Your Vendor’s Integration Keys
- They Gain Visibility Into Everything
- They Have Months to Operate Undetected
- The Financial Catastrophe
- The Sheer Scale Is Staggering
- It Happens to Half of Major Companies
- You Often Don’t Even Know Until It’s Too Late
- The Total Cost Dwarfs Everything Else
- What Actually Works in 2025
- Know Every Vendor You Have—Seriously
- Limit What Vendors Can Access
- Update Your Contracts
- Monitor Your Integrations in Real-Time
- Have a Response Plan Ready
- Your Board Needs to Know About This
- The Hard Truth
That’s the problem. And it’s exactly why attackers have stopped targeting companies directly. Why waste time breaking into a fortress when you can walk through the front door using a vendor’s credentials?
The uncomfortable truth is this: your security is only as strong as your weakest vendor relationship. And in 2025, vendor breaches are the norm, not the exception.
Supply Chain Attacks Are Out of Control
Remember SolarWinds? That breach was a wake-up call. Then came Kaseya, MOVEit, Okta, and dozens of others. Each one followed the same pattern: attackers compromised a vendor, and suddenly thousands of companies were exposed without ever knowing what hit them.
The numbers tell the story. According to Gartner’s 2025 Security Forecast, supply chain compromise now plays a role in nearly half of all major data breaches—that’s a 160% increase since 2022. We’re not talking about edge cases anymore. This is mainstream cybercrime.
Let me walk you through some of the disasters we’ve seen recently:
MOVEit Transfer: When One Vulnerability Breaks 1,000+ Companies
In 2024, a zero-day vulnerability in MOVEit Transfer—a file transfer application used by healthcare systems, banks, and government agencies—exposed 64 million records in just two months. Think about that. Not two days. Two months of attackers downloading patient records, financial data, and classified information while most victims had no idea their data was walking out the door.
The scary part? Many organizations didn’t even know they were using MOVEit. It was buried in their tech stack, managing critical data transfers in the background. Their security team learned about the breach from news reports, not from their vendor.
Okta: When Your Identity Provider Becomes Your Vulnerability
Okta is supposed to protect you. It manages authentication for thousands of enterprises. In 2025, attackers compromised Okta’s platform and gained the ability to move laterally into customer networks by hijacking identity tokens. Think about what that means: the company responsible for proving you are who you say you are—was compromised. Attackers could theoretically impersonate any employee of any Okta customer.
The investigation revealed attackers had persistent access for weeks, potentially accessing customer metadata, authentication logs, and system configurations.
Kaseya: The Ransomware That Came Through Your Vendor
Kaseya is a managed service provider tool. One vulnerability became the delivery mechanism for ransomware that hit 1,500 downstream customers in a coordinated attack. IT teams woke up to discover that the very tool they used to manage and protect their systems had become the weapon used against them.
ConnectWise: Yet Another RMM Platform, Yet Another Disaster
Remote monitoring and management platforms keep getting compromised because they’re so attractive to attackers. These tools sit on your network with administrative privileges. Compromise the platform, and you’ve got the keys to the kingdom.
Each of these incidents hammered home the same lesson: when vendors get breached, their customers get breached too. And you have almost no control over it.
Why Vendors Make Perfect Targets
From an attacker’s perspective, targeting vendors is just smarter than targeting enterprises directly. One vendor breach can equal hundreds or thousands of customer breaches. It’s economics 101—maximize return on investment.
They Have All the Keys to Your Kingdom
Vendors need elevated access to do their jobs. Your SaaS provider needs access to your data. Your IT support vendor needs administrative credentials. Your backup software needs to read everything. Your payment processor needs access to transactions.
When vendors have this level of privilege, their compromise becomes your disaster. An attacker with a vendor’s credentials suddenly has administrative access to your most critical systems. No permission denied. No access controls blocking them. They’re in.
You Don’t Even Know They’re There
Shadow IT is real. Your marketing department signed up for a SaaS analytics tool. Engineering integrated a third-party library. Finance brought in a new payment processor. Six months later, your security team still doesn’t know these vendors exist.
According to research I’ve seen, organizations typically underestimate their vendor count by 30-40%. If you can’t see your vendors, you can’t assess their risk. And if you can’t assess their risk, you can’t protect against it.
Compliance Becomes Someone Else’s Problem
You’re HIPAA compliant. But is your vendor? You’re PCI compliant. But what about your payment processor? You’re GDPR compliant. But your cloud provider is in the US—are they actually compliant?
The honest answer for most organizations: we don’t know, and we can’t prove it. Ask your security team if they could respond to a regulator’s inquiry about vendor compliance within 48 hours with documentation. Most would say no. And that’s terrifying when you realize regulators increasingly hold you liable for vendor breaches.
Their Risk Is Your Risk—Times Ten
Your vendor uses open-source libraries. Those libraries come from other projects. Those projects depend on still more code. Your risk doesn’t end at your vendor—it cascades through their entire ecosystem.
A vulnerability discovered in a popular library can suddenly affect thousands of software products and millions of users. Your vendor might be affected before you even know a vulnerability exists.
How Attackers Actually Exploit This
Let me break down what sophisticated attackers are doing right now:
They Impersonate Your Vendor to Phish Your People
An attacker researches your company, identifies your vendors, and calls your employees impersonating vendor support. “Hi, this is IT support from [Your Cloud Provider]. We need to verify your credentials for urgent maintenance.” It works because people trust their vendors. They’ve been trained to help vendors troubleshoot problems.
The attacker gets credentials. Game over.
They Find Zero-Days in Vendor Software
They find or purchase a vulnerability in software your vendor provides that’s used by thousands of companies. Before the vendor even knows a problem exists, attackers are using it to gain access to customer networks at scale. It’s the ultimate force multiplier.
They Steal Your Vendor’s Integration Keys
Your vendor’s API keys. Your vendor’s SSO tokens. Access to integrations you’ve built. An attacker with these credentials can impersonate your vendor—and by extension, your employees—within your own systems.
They Gain Visibility Into Everything
Your vendor managing your cloud infrastructure sees all your customer data. Your vendor handling backups sees your entire file system. Your vendor doing IT support sees your configurations and credentials. Compromise the vendor, and the attacker sees everything.
They Have Months to Operate Undetected
The average time to detect a breach is 200+ days. Your vendor might not even discover they were compromised for months. During that entire time, attackers are in your systems, extracting data or installing backdoors. You have no idea it’s happening.
The Financial Catastrophe
Let’s talk about what these breaches actually cost:
The Sheer Scale Is Staggering
MOVEit alone exposed 64 million records. That’s 64 million people needing to be notified. That’s healthcare systems handling notification for patient data. That’s financial institutions informing customers of potential fraud. Just the notification costs exceeded $50 million across all affected healthcare organizations.
It Happens to Half of Major Companies
According to Veeam’s 2025 survey, 45% of organizations experienced a material vendor-related breach in the last 12 months. That’s nearly half. If you’re a large enterprise, odds are you’ve been hit through a vendor already.
You Often Don’t Even Know Until It’s Too Late
More than 30% of companies learned about vendor breaches from news reports or customer complaints—not from the vendor itself. Imagine learning your vendor was hacked on Twitter before the vendor sent you an official notification. Your customers are already panicking before you even know what happened.
The Total Cost Dwarfs Everything Else
Notification costs. Regulatory fines. Lawsuit settlements. Customer churn. Lost trust. Incident response. Legal fees. A hospital losing patient data through a vendor breach doesn’t just face HIPAA penalties—it faces patient lawsuits, reputation destruction, and potentially millions in compensation.
Some organizations that suffered major vendor breaches have seen customer defection rates spike 15-25% in the following year. Loss of customer trust can be more damaging than the breach itself.
What Actually Works in 2025
So what do you do about this? You can’t just fire all your vendors. You need them. But you have to manage the risk better.
Know Every Vendor You Have—Seriously
Start by cataloging everything. The cloud provider, the email service, the backup software, the payment processor, the analytics tool, the HR platform, everything. Include the ones your teams signed up for independently (shadow IT). Most organizations discover they have 50% more vendor relationships than they thought.
Then assess each one. What data do they access? How critical are they? What happens if they’re breached? Use third-party risk ratings from companies like Externally, SecurityScorecard, or BitSight. These services track vendor security posture continuously—not just once a year.
Limit What Vendors Can Access
Give vendors the absolute minimum access they need to do their job. And revoke that access the moment they don’t need it anymore. If a vendor is setting up your cloud infrastructure, they shouldn’t have read access to customer data six months later.
Monitor what vendors actually do with their access. Log it. Alert on suspicious behavior. If a vendor account suddenly starts accessing systems it never accessed before, that’s a red flag.
Update Your Contracts
Your old vendor contracts probably don’t require breach notification within 24 hours. They probably don’t mandate SOC 2 Type II audits or ISO 27001 certification. They probably don’t have penalties for security failures.
Fix that. Make security breaches a material breach of contract, not just something to report casually. Require vendors to maintain cyber liability insurance and name your company as additional insured. Make them care about security the way you do.
Monitor Your Integrations in Real-Time
Use tools to watch what’s actually happening with your vendor integrations. Unusual data flows? Anomalous access patterns? Unscheduled syncs? Flag it. Alert on it. Investigate it.
Deploy Cloud Access Security Brokers (CASBs) if you have significant SaaS usage. These tools give you visibility into what’s flowing through your vendor integrations and let you block suspicious activity automatically.
Have a Response Plan Ready
Don’t wait until a vendor breach happens to figure out what you’ll do. Map it out now. Who notifies customers? Who talks to regulators? What’s your timeline? What information do you need to collect?
Pre-draft notification templates. Establish communication chains. Define decision authorities. When crisis hits, you don’t have time to debate. You need to act within hours. Being prepared cuts response time in half and dramatically improves outcomes.
Your Board Needs to Know About This
Vendor risk isn’t just a security team problem anymore. It’s a board problem. C-suite executives need to understand that 45% of major breaches now involve vendors. They need to know how many vendors have access to critical systems. They need to have a response plan for when—not if—a vendor gets breached.
This is no longer a checkbox on a security questionnaire. This is business-critical risk.
The Hard Truth
Your vendors will be compromised at some point. It’s not a question of if, it’s a question of when. One of them will get hacked. An attacker will gain access through their systems.
The only question that matters is: Are you ready?
Are you monitoring vendor integrations closely enough to detect something wrong? Do you know what data each vendor can access? Can you revoke vendor access quickly if needed? Do you have incident response procedures ready to execute within hours?
If the answer to any of these is no, you’re playing Russian roulette. Your fortress might be secure. But if your vendors are the weak link, it doesn’t matter.
Don’t let your best defense be undone at your weakest link.
