With cybersecurity, we often get so caught up in worrying about hardening our environment and our human-based risks that many businesses overlook one key area that poses a significant threat to their security:
Your Third Parties
This goes beyond protecting sensitive data you share access to. It’s also about:
And the big one:
These are things that all businesses face, regardless of size or industry. If you use a bank, have an email account or phone line, or use technology, supplies, or equipment from another third party, then this risk is something you need to seriously consider.
While some of you will have legal requirements to assess your third-party risks, it’s something that is highly recommended for all businesses.
It’s a two-way street, too; more and more organizations look at their partnerships with businesses like yours and expect that you are protecting your end of the relationship. And, as this risk grows, it’s not uncommon to see them start to ask for proof of strong security practices.
In today’s article, we’ll dissect third-party risks further and talk about ways to tackle it!
In the 2025 IBM Cost of Data Breach Report, breaches caused by third parties took the longest to detect and contain (on average, taking 196 days to detect and 71 days to contain, totaling 267 days).
(IBM 2025 Cost of Data Breach)
There’s a direct correlation between the time it takes to detect and contain, so it’s no shock that “Third-party vendor and supply chain compromise” were the second most costly type of breach at $4.91 million.
(Falling only slightly behind breaches caused by a “Malicious Insider,” falling at $4.92 million.)
It also happens to be one of the most common, at just under 15% of the breaches IBM studied, falling right behind “Phishing” initiated attacks, which accounted for just under 16%.
(IBM 2025 Cost of Data Breach)
The bottom line:
Third-party breaches are common, take a long time to contain, and are one of the most expensive types of breaches a business can experience.
You don’t have to look far for examples:
None of these organizations lacked security programs. They were compromised through trusted relationships with third parties.
It’s not that you’re only as strong as your weakest link. It’s that you’re only as strong as your third party’s weakest link.
When we look at cyber risk, we focus on two key factors:
Likelihood – the factors that determine the probability of a cyber-attack, often related to a combination of the threats we face and the vulnerabilities or weaknesses in our environment.
and
Impact – the factors we can measure proactively about our risk based on the impact to the business in terms of the CIA Triad of Cybersecurity. Specifically, what it means to our business to experience a compromise of Confidentiality (info that needs to stay private), Integrity (trust that needs to be maintained), and Availability (processes and technology we rely on).
When it comes to third parties, we have very little control over the factors that determine likelihood.
First, the threats they face could be quite different from your own. While you may not consider yourself much of a target, that may not be the case for some of the businesses you work with closely.
Further, as you consider the vulnerabilities or weaknesses that an attacker may exploit, there’s little control you have over those that exist for your third-party partners.
The best you can do is ask about the practices they follow to identify and address their risks (an important practice we’ll discuss in more depth in a moment).
As far as the ability to reduce the likelihood of a third-party breach, the best you can do is choose your third parties carefully. And keep in mind that businesses practicing strong security can still have a bad day and fall victim to an attack.
You have very little control here.
Now, aside from ‘how’ an attack happens to your third party, we need to start to think about what happens ‘if’ they’re attacked.
Use the CIA Triad to start to consider this across the third parties you work with:
We always want to look for ways we can minimize our impacts here, but it’s not an easy thing to do, even within our own environment, where we have control. It’s nearly impossible when it’s dependent on that third party.
Chances are, if you have sensitive data, it’s necessary for your business. You probably carefully build and plan processes and leverage technology so your business can function efficiently. And you likely expect that all to be there when it’s needed.
These CIA factors are often tied to the risks of doing business. And, when we leverage other businesses for different functions, that risk starts to grow.
Again, another area where we have little control over these shared impacts.
One of the most important factors related to cyber risk is the ability to detect and contain an attack as quickly as possible.
As mentioned earlier, third-party breaches take the longest to detect and contain, and it’s because we’re stuck on the sidelines as they pick up the pieces.
While the third-party breaches were longest, the average was still 181 days to detect and 60 to contain.
When one of those other breaches occurs for your third-party partner, there is lost time from them discovering it and reporting it to you. So, it’s no shock these take a week or two longer than other common breaches.
It’s a domino effect, and you’re at the whim of the third party.
Your recovery speed depends on their ability to detect their breach, notify you, and stop the incident.
Yet another area where you have little control.
Maybe.
You definitely should have a third-party risk management plan either way; as stated above, it’s a serious risk for nearly every business.
However, there are some situations where you may find it is a requirement.
It’s included in regulations like HIPAA, NY DFS 23 NYCR 500 (New York’s cyber rule for financial services), state-based insurance data security laws, and may even appear as a required practice for your cyber liability insurance to cover you (especially if that coverage includes support for third-party breaches).
Many of these requirements may be as subtle as saying you must “assess third-party risks”, making it easy to miss and a little vague about how to do so.
To help clear things up, NY published an industry letter specifically addressing this topic and to provide more clarity on what they’d like to see.
Read it here: NY DFS: Guidance on Managing Risks Related to Third-Party Service Providers
Regardless of your status under NY’s cyber rule, the guidance is worth reading through.
In addition to the stats shared above, trends that NY has been seeing with third-party risk management have been concerning enough to issue the guidance.
As they review cybersecurity practices for covered entities, they have identified opportunities to strengthen how organizations monitor, assess, and manage these third-party cybersecurity risks.
To determine if you are obligated to assess your third-party service providers, seek out data security laws that apply to you under Federal and State regulations, but also look in your partner contracts and insurance documents to see if it is mentioned.
If your third parties are critical to your business or have a lot of access to your data and technology, it’s highly recommended to implement a third-party risk management practice.
With so little control, how do we begin to address this?
Where many people may just give up and throw their hands up in frustration, this is where due diligence is needed.
Some of you may have a small list, but getting a list is the first step and can help you prioritize the work ahead.
You can use the free resources we reference at the end of this article if you need a jumping-off point.
At a minimum, start to list out the businesses your organization works with and identify the key elements related to your cyber risk based on the role they play:
Questions like the above help you begin to measure the internal risk you have with each vendor and the potential level of impact related to them being breached.
Comparing your inventory of third parties, start to categorize them based on their respective levels of impact.
Sometimes this will be really clear, but you may have some middle-ground vendors that are harder to compare.
There are going to be low-impact vendors that we can identify and put off to the side. These would have little exposure and, if they had a breach, it’d probably be unnoticeable or a minor inconvenience.
There will also be clear high-impact vendors, and you can probably already imagine some of the most important relationships you need to protect. These often include:
Chances are that any one of the above relationships is going to have a high weight on the CIA Triad impacts.
As you start to categorize your third parties based on the internal risk, you will have better focus on where extra attention is needed.
When the internal risk is high enough, it may make sense to start to uncover the Likelihood factors related to those third parties.
For this, we need to understand more about the threats, vulnerabilities, or weaknesses they face.
Given the industry and size of your third-party partner, you can start to get an idea of their threats, but this is difficult to measure. One way to gauge this would be to look at the annual Verizon Data Breach Investigation Report (DBIR) for information about the types of attacks targeting various industry groups.
Just keep in mind that many attacks, like phishing, are automated, and any business can become a target.
As far as the vulnerabilities (weaknesses) that exist for them, we can get a better understanding of that by having them answer some questions about their security practices.
This is where we start to see more and more businesses send “Third Party Risk Questionnaires” that vary in depth, usually depending on the level of risk involved.
For the vendors that have a high enough internal risk, also depending on your risk tolerance and legal requirements, you may want to annually reassess the relationship and your overall exposure as you continue working with them.
Pro tip: while you should do this annually, it’s not sustainable to look at it as a point-in-time project. Instead, try to find a regular cadence to fold this into your ongoing cybersecurity practices and spread it out across the year.
Large enough businesses will offer a site that houses all of their relevant compliance and security documentation. Usually, you can find this in a ‘trust center’ of some kind, and it’s typically protected behind a login you may have.
For smaller businesses, you’re likely going to have to send a questionnaire over to someone in cybersecurity, legal, IT, development, or elsewhere.
Pro tip: once you find out who answers these questions, be sure to update that in your inventory to save time
All of this is going to depend on your specific risks and situation with each vendor, but here are some of the things you may need to ask about:
This is not a comprehensive list, but a good place to start.
One of the ways I recommend creating a list is to look at common cybersecurity frameworks, like the Center for Internet Security (CIS).
For third parties that you identify as critical, basic questionnaires aren’t enough. You should also evaluate:
Obviously, as shown above, third-party risk management has a lot of areas where there is little control.
However, that shouldn’t keep you from trying to do your best to understand the risk, the factors involved, and weave that into your plan should one of your third parties become compromised.
There are three key areas where I see people get stuck here:
Using tools like RiskCheck (learn about becoming an early adopter here!) can help streamline the whole process.