Imagine you give your office key to your cleaning service. That's normal. They need to get in to do their job. Now imagine they lose that key. Or worse, someone steals it. A stranger walks into your office at night, using a legitimate key. Your alarm doesn't go off because the key is recognized. Your cameras capture someone moving through the building calmly, as if they belong there.

This is exactly what happens, every day, inside the IT systems of organizations like yours.

In my last article, I talked about the threat that comes from within: shadow AI, employees using unapproved tools with the best of intentions. Today, let's talk about a more insidious threat. The one that walks in through the door you opened for your vendors, partners, and subcontractors. The people you trust.

The scope of the problem, in numbers

The data is clear, and it should concern every executive.

According to the Verizon Data Breach Investigations Report (DBIR) 2025, 30% of all data breaches now involve a third party, whether a vendor, a partner, or a subcontractor. That's double the previous year, when the figure stood at 15%. In a single year, vendor-related risk has doubled.

IBM, in its Cost of a Data Breach Report 2025, confirms the trend from a different angle. Supply chain compromise is the second most costly attack vector, averaging $4.91 million per incident, just behind malicious insider attacks ($4.92M). This vector also accounts for 15% of all breaches analyzed. But what truly sets these attacks apart is time. It takes an average of 267 days to detect and contain them. Nine months. Three quarters of a year during which someone is moving through your systems with legitimate access.

And this isn't just a big-company problem. SecurityScorecard, in its Global Third-Party Breach Report (published in 2025, analyzing 2024 data), arrives at an even higher estimate: more than 35% of breaches originate with a third party. The methodology differs from Verizon's, but both reports converge on the same conclusion. The vendor threat is exploding.

What we're seeing more and more in the field is a lack of preparedness. Mitratech's Third-Party Risk Management Survey reveals that organizations assess only 40% of their vendors on average, and that 70% of vendor risk management programs are understaffed. Six out of ten vendors are not assessed from a cybersecurity standpoint.

How it works

Why are cybercriminals so interested in your vendors? The answer is simple: it's more effective. Rather than attacking your organization directly (where you may have a firewall, endpoint protection, and a monitoring team), they target one of your vendors. Often smaller. Often less protected. And once they've compromised that vendor, they inherit their key, their legitimate access to your systems.

Let's go back to the office key analogy. The cybercriminal doesn't force your door. They don't break your window. They steal the key from someone who was authorized to enter. Your security system sees nothing unusual, because technically, nothing is unusual. The access is legitimate.

The blind spot is trust. These attacks don't exploit a technical flaw. They exploit a business relationship. Your payroll provider has access to every employee's data. Your CRM provider knows all your customers. Your cloud provider hosts your financial data. Each of these connections is a bridge that attackers can cross.

And the trend is accelerating. Since April 2025, software supply chain attacks have been occurring at an average rate of 26 per month, according to Cyble, double the rate observed between early 2024 and March 2025. Each incident has the potential to impact dozens, even hundreds of downstream organizations.

An ordinary Wednesday morning

Wednesday, 9:45 AM. Your Director of Finance calls. Something is wrong with the payroll system. Employee records show incorrect data. Social Security numbers that don't match, addresses that have been changed. Your IT team checks. The system is operating normally. No alerts. No anomalies in the logs.

10:30 AM. The investigation progresses. The IT team discovers that the changes were made through the payroll vendor's account, an automated connection between their system and yours, active 24/7 for years. The vendor confirms they didn't make these changes. Someone else is using their access.

11:15 AM. Your payroll vendor informs you they experienced a security incident three weeks ago. Three weeks. They didn't notify you because they were "assessing the impact." In the meantime, the attackers used their access to enter their clients' systems. Including yours.

1:00 PM. The picture is becoming clearer, and it's concerning. The personal data of your 350 employees (names, addresses, Social Security numbers, banking information for direct deposit) has been copied. Not through an attack on your systems. Through an attack on a vendor you trusted.

2:30 PM. Your privacy officer reminds you of your obligations: assess whether the incident poses a risk of serious harm, notify regulators, notify all 350 affected individuals, document the incident in your records.

Your lawyer calls. Your insurer calls. And the question everyone is asking is the same: "What security measures did you require from this vendor?"

You dig up the contract. It's four years old. There's no cybersecurity clause. No incident notification requirement. No audit rights. Just a vague commitment to "data confidentiality."

What it really costs

IBM's numbers are clear. A breach involving a vendor costs an average of $4.91 million. But behind that average lie concrete realities that averages don't capture.

A rough estimate for an SMB with 350 employees whose payroll data has been compromised (IBM, average cost per record for employee data: $168/record): 350 employees × $168/record ≈ $59,000. That figure only represents the per-record cost. It doesn't include digital forensics to understand what happened, an engagement that easily runs into tens of thousands of dollars for an SMB. Nor the legal fees to assess your obligations and manage notifications. Nor the hours your IT team spends diverted from their projects for weeks.

And then there are the costs that aren't easily measured. Your employees receiving a letter informing them that their banking information and Social Security numbers have been exposed. Their trust in the organization takes a hit. Your IT team, already stretched thin, absorbing an incident they didn't cause and had no way to prevent. The stress, the sense of helplessness, the overload.

Let's not forget time. IBM reports that supply chain breaches take 267 days to detect and contain, 26 days longer than the global average. Nine months during which your systems are compromised without your knowledge.

Why SMBs are especially vulnerable

The reason SMBs are exposed has nothing to do with competence. It's operational reality working against them.

A large enterprise has a dedicated vendor risk management team. They send security questionnaires, require certifications, conduct audits. A 200-person SMB often doesn't even have a single employee dedicated to cybersecurity, let alone someone assessing each vendor's security posture.

And yet, that same SMB routinely uses dozens of cloud applications, each operated by a vendor with some level of access to its data. Payroll, CRM, accounting, email, video conferencing, file storage, e-signatures. Every connection is a potential bridge.

In practice, what we see in the field is that most SMBs have zero visibility into their vendors' security posture. They don't know which vendors have access to which data. Encryption at rest at their vendors'? No idea. And if a vendor has suffered an incident without notifying them, they have no way of knowing. When the incident happens, it's the organization that holds the data (not the vendor) that bears legal responsibility.

Regulatory accountability: you own the risk

This is where privacy legislation fundamentally changes the equation for executives.

Whether you operate under Quebec's Law 25, PIPEDA at the federal level, or state-level privacy laws in the U.S., the principle is the same. The data you share with third parties (vendors, subcontractors) remains your responsibility. Not the vendor's. Yours. You are the custodian of the personal information you collect, even when you hand it to someone else to process.

In practice, this means several obligations. You must contractually define how third parties protect the personal information you entrust to them. You must conduct privacy impact assessments when transferring personal data across borders. If an incident occurs at your vendor and it presents a risk of serious harm to the individuals involved, you are the one who must notify regulators and affected individuals with diligence. And you must document the incident in your records.

Under Quebec's Law 25, for example, administrative monetary penalties can reach $10 million or 2% of worldwide revenue, with even steeper penal sanctions for repeat offenses or serious violations. But the real question is the supply chain trap: you are liable for an incident you didn't cause, in a system you don't control, at a vendor you may have never assessed.

This is unmanaged risk. And privacy legislation doesn't give you the luxury of ignoring it.

What you can do Monday morning

The good news is that vendor risk can be managed. The key is to start somewhere rather than ignore it and hope nothing happens.

Here are five questions to ask your IT team this week.

"Do we have a complete inventory of every vendor that has access to personal data or to our systems?" If the answer is no, or if the answer is "we think so," that's your first priority. You can't protect what you don't know about.

"Do our contracts with these vendors include cybersecurity clauses (incident notification, audit rights, minimum security requirements)?" A contract without a cybersecurity clause in 2026 is like an insurance policy with no coverage. The document exists, but it doesn't protect you.

"Do we know which vendors have permanent access to our systems, and is that access still justified?" Many vendor connections are configured once and never reviewed. Does the vendor you left two years ago still have an active connection to your systems?

"If our payroll provider (or CRM, or accounting platform) suffered an incident tomorrow, what is our plan?" If the answer is an uncomfortable silence, you've identified your priority.

"Have we documented our regulatory obligations regarding personal information entrusted to third parties?" Documentation isn't bureaucratic busywork. It's your proof that you did your homework if an incident occurs.

These questions aren't technical. They're strategic. And they deserve to be asked by leadership, not just the IT team. If your CEO asks tomorrow "where do we stand on vendor security?", do you have an answer?

Need help securing your supply chain?

InfoSec helps organizations manage vendor risk and build resilient third-party governance programs. If you don't have a dedicated CISO, our vCISO services give you the strategic leadership needed to manage your vendor relationships, without a full-time hire.

For support with regulatory compliance or strategic cybersecurity advisory, schedule a discovery call.

Mario Bouchard, M. Adm., CISSP, President, InfoSec Sécurité de l'information Inc. With over 30 years of experience in cybersecurity, he helps CISOs and IT leaders turn cybersecurity into a delivery accelerator rather than a roadblock. infosecurite.com

Sources

Verizon — Data Breach Investigations Report (DBIR) 2025. Key statistic: 30% of breaches involve a third party, double from the previous year (15%). verizon.com/dbir
IBM — Cost of a Data Breach Report 2025. Average cost of a supply chain breach: $4.91M. Mean time to detect and contain: 267 days. Cost per compromised employee record: $168/record. Second most frequent attack vector (15%) and second most costly. ibm.com/reports/data-breach
SecurityScorecard — Global Third-Party Breach Report (published March 2025, 2024 data). More than 35% of breaches originate with a third party, up 6.5% year over year. securityscorecard.com (PDF)
Mitratech — Third-Party Risk Management Survey 2025. Organizations assess only 40% of their vendors on average. 70% of vendor risk programs are understaffed. mitratech.com
Cyble — Threat Landscape Reports 2025. Supply chain attacks occurring at a rate of 26 per month since April 2025, double the rate from early 2024 through March 2025. cyble.com
Commission d'accès à l'information du Québec — Key changes under Law 25. Vendor obligations, incident notification, records, privacy impact assessments. cai.gouv.qc.ca