Division of labor in criminal enterprises leads to high-volume, low-cost attacks
Understanding the alarming shift toward specialized cybercriminal roles is crucial for businesses to understand
What Is Third-Party Risk?
Third-party risk refers to the cybersecurity risks associated with companies you work with.
Examples of third parties:
If one of them has weak security and gets hacked, the attackers may gain access to your systems and data as well.
A Real-World Example: SolarWinds
One of the most well-known cyberattacks happened through a vendor called SolarWinds.
Hackers placed malware into a software update. That update went out to thousands of companies, including big government agencies and Fortune 500 firms. The attack spread quietly, and no one knew it was happening.
These companies weren’t hacked directly—they were affected because they trusted a vendor that got compromised.
Why Vendor Risk Is So Serious
Even if your company has great security, vendors can open the door to risk. Here’s why:
What Can Go Wrong?
If one of your vendors is breached, your business could face:
And even if it wasn’t your fault, people will still hold you responsible.
What Your Company Can Do
The good news? You can manage third-party risk without becoming a cybersecurity expert. Steps your company can take:
1. Know Who You Work With
Keep a list of all vendors, contractors, and partners who:
2. Sort by Risk Level
Some vendors are riskier than others. For example:
Start by focusing on the vendors that could cause the most damage if something went wrong.
3. Ask the Right Questions
Before hiring a vendor—or renewing a contract—ask:
4. Limit Their Access
Only give vendors the access they need—and no more. Remove access when:
5. Add Security Language to Contracts
Make sure your contracts with vendors include:
6. Review Regularly
Cybersecurity isn’t one-and-done. Check in on vendors at least once a year:
Everyone Plays a Role
You don’t have to work in IT to help keep your company safe. If you work with vendors, manage contracts, or bring on new partners, you have a part in reducing risk. Ask smart questions. Share your concerns. Remember, cybersecurity is a priority for the entire business, not just IT.
A company’s security is only as strong as the people and businesses it works with!
You can’t control everything your vendors do—but you can make sure you ask the right questions, set the right rules, and stay involved.
Because at the end of the day, keeping your business safe is everyone’s job.
Eric Anderson is a New Hampshire-based technology executive who translates real business challenges—like compliance, risk, and operational inefficiency—into practical, scalable technology solutions for small to mid-sized businesses.