Introduction

In today’s world organizations do not operate independently, they rely heavily on third party service providers which include: cloud service providers, software vendors, payment processors, and IT support firms.

While these partnerships are essential for growth and operational efficiency, a weakness in the vendor’s controls can expose an entire organization to data breach, ransomware and regulatory penalties.

Why third-party risk matters

Supply chain attacks occur when cybercriminals target vendors to gain access to larger, protected organizations. Instead of breaking into a well secured network directly, attackers exploit the weakest link often a third-party vendor with privileged access.

Cybercriminals increasingly exploit third party vendors because they know vendors often have trusted access to networks, systems, or sensitive data.

Two high-profile examples highlight this vulnerability:

  • SolarWinds: In 2020, attackers managed to inject malicious code into the software updates of SolarWinds’ Orion platform, which was widely used by government agencies and corporations. When clients installed the compromised update, the malware gave attackers backdoor access to their internal networks.
  • MOVEit: In 2023, attackers exploited a zero-day SQL injection vulnerability in the MOVEit file transfer software used by many organizations. This allowed them to access sensitive databases and exfiltrate personal and business data, impacting thousands of organizations and millions of individuals.

Key risks from third-party providers

  • Cybersecurity vulnerabilities: Vendors can act as an entry point for cybercriminals to infiltrate an organization’s network. Weaknesses in a vendor’s systems such as outdated software, poor password practices, or lack of monitoring can be exploited to deploy malware or ransomware
  • Data breach and information leakage: Vendors often have access to sensitive company data, including customer information, financial records, or intellectual property. If these vendors lack strong security measures, attackers can exploit their systems to steal or leak data.
  • Regulatory non-compliance: Vendors that fail to comply with key regulatory standards such as GDPR, the Kenya Data Protection Act, PCI DSS, and ISO 27001 pose serious risks to your organization. Non-compliance can result in legal liabilities, financial penalties, and reputational damage, even if the violation originates from the vendor.
  • Lack of incident transparency: Vendors may lack transparency when handling security incidents, such as delaying disclosure, providing insufficient details, or lacking formal response protocols. This lack of timely and clear communication prevents your organization from responding effectively
  • Operational disruption: When a critical vendor experiences downtime, technical failure, or business interruption, it can directly affect the organization’s ability to deliver products or services.
  • Legal and contractual risks: Poorly defined or incomplete vendor contracts can create legal exposure. Without clear clauses on data ownership, liability, or breach notification, disputes can arise that are costly and time-consuming to resolve.
  • Dependency and vendor lock-in: Relying too heavily on a single vendor for critical operations can create dependency risks. If the vendor changes pricing, terms, or technology, or fails to deliver, the organization may have limited alternatives and incur high switching costs to move to another provider. 

Best practices for managing vendor cybersecurity

To effectively manage supply chain cybersecurity risks, security professionals must implement a multi-layered strategy addressing technical and organizational challenges. Here are five essential tactics:

  • Vendor due diligence: Before engaging a vendor, evaluate their security posture, check whether they apply patches consistently, use strong encryption, and review any history of past breaches. Conducting this due diligence early helps minimize long-term risks and ensures stronger protection for the organization.
  • Vendor risk assessment and segmentation: Start by identifying all third-party vendors and classifying them according to their access levels and importance to business operations. This ensures stronger controls are applied to high-risk vendors.
  • Contractual security requirements: Vendor contracts should clearly define cybersecurity requirements, including compliance with standards like ISO 27001 or SOC 2, regular security reviews, breach notification timelines, audit rights, and confidentiality obligations. Including these into Service level agreements ensures accountability and makes data protection and incident response enforceable.
  • Continuous monitoring and threat intelligence: Security checks shouldn’t end after on-boarding. Regularly review vendor security using cyber risk ratings and independent SOC audit reports, which evaluate how vendors handle security, availability, confidentiality, and integrity.
  • Third-party incident response integration: Establish joint incident response plans with vendors. Define roles, communication channels, and responsibilities. Run tabletop exercises to test readiness and improve coordination during incidents.

Conclusion

Managing third party risk is essential for maintaining overall security posture for your organization. Proactive third-party risk management not only safeguards data and operations but also strengthens trust and resilience across the business.

References

Alessandro, K. (2024, January 4). Proactive Cybersecurity and Vulnerability Management: Learning from the MOVEit Compromise. Omega Systems. https://omegasystemscorp.com/insights/blog/proactive-cybersecurity-and-vulnerability-management-learning-from-the-moveit-compromise/

Finio, M., & Downie, A. (2025, May 27). Third party risk management. IBM. https://www.ibm.com/think/topics/third-party-risk-management

Goel, A. (2025, May 7). Top 10 Supply Chain Attacks that Shook the World. Encryption Consulting. https://www.encryptionconsulting.com/top-10-supply-chain-attacks-that-shook-the-world/

Ilori, N. O., Nwosu, N. N. T., & Naiho, N. H. N. N. (2024). Third-party vendor risks in IT security: A comprehensive audit review and mitigation strategies. World Journal of Advanced Research and Reviews, 22(3), 213–224. https://doi.org/10.30574/wjarr.2024.22.3.1727

Supply chain cybersecurity risk management. (n.d.). Bitsight. https://www.bitsight.com/uses/supply-chain-cybersecurity-risk-management

The SolarWinds cyber-attack: What you need to know. (2021, November 9). CIS. https://www.cisecurity.org/solarwinds

Takefuji, Y. (2022). Security enhancement of third parties is needed in global supply chain management. Journal of Applied Security Research, 1–8. https://doi.org/10.1080/19361610.2022.2086785

What is a supply chain attack? | CrowdStrike. (n.d.). https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/supply-chain-attack/

 

Caveat

This newsletter has been prepared by RSM (Eastern Africa) Consulting Ltd, and the views are those of the firm, independent of its directors, employees and associates. This newsletter is for general guidance, and does not constitute professional advice. Accordingly, RSM (Eastern Africa) Consulting Ltd, its directors, employees, associates and its agents accept no liability for the consequences of anyone acting, or refraining from acting, in reliance on the information contained herein or for any decision based on it. No part of the newsletter may be reproduced or published without prior written consent. RSM (Eastern Africa) Consulting Ltd is a member firm of RSM, a worldwide network of accounting and consulting firms. RSM does not offer professional services in its own name and each member firm of RSM is a legally separate and independent national firm.