Eric Anderson
What Is Third-Party Risk?
Third-party risk refers to the cybersecurity risks associated with companies you work with.
Examples of third parties:
- Your IT or cloud provider
- A payroll or HR service
- A marketing firm that uses your systems
- Any vendor with access to your data or tools
If one of them has weak security and gets hacked, the attackers may gain access to your systems and data as well.
A Real-World Example: SolarWinds
One of the most well-known cyberattacks happened through a vendor called SolarWinds.
Hackers placed malware into a software update. That update went out to thousands of companies, including big government agencies and Fortune 500 firms. The attack spread quietly, and no one knew it was happening.
These companies weren’t hacked directly—they were affected because they trusted a vendor that got compromised.
Why Vendor Risk Is So Serious
Even if your company has great security, vendors can open the door to risk. Here’s why:
- You don’t control their systems
- They often have access to your data
- Access is often left on too long
- You assume they’re secure
What Can Go Wrong?
If one of your vendors is breached, your business could face:
- A data breach
- System outages or shutdowns
- Legal problems or fines
- Loss of trust from customers
- Serious damage to your brand and reputation
And even if it wasn’t your fault, people will still hold you responsible.
What Your Company Can Do
The good news? You can manage third-party risk without becoming a cybersecurity expert. Steps your company can take:
1. Know Who You Work With
Keep a list of all vendors, contractors, and partners who:
- Use your systems
- Have access to your data
- Provide technology or cloud services
2. Sort by Risk Level
Some vendors are riskier than others. For example:
- A cleaning service is low-risk
- A cloud storage provider is high-risk
Start by focusing on the vendors that could cause the most damage if something went wrong.
3. Ask the Right Questions
Before hiring a vendor—or renewing a contract—ask:
- Do you have cybersecurity policies?
- How do you train your employees?
- Have you had a breach before?
- How would you alert us if something went wrong?
4. Limit Their Access
Only give vendors the access they need—and no more. Remove access when:
- A project ends
- An employee leaves
- Access is no longer required
5. Add Security Language to Contracts
Make sure your contracts with vendors include:
- A requirement to notify you if they get hacked
- Minimum security standards
- Rules about how they handle your data
6. Review Regularly
Cybersecurity isn’t one-and-done. Check in on vendors at least once a year:
- Who still has access?
- Are they following security best practices?
- Has anything changed?
Everyone Plays a Role
You don’t have to work in IT to help keep your company safe. If you work with vendors, manage contracts, or bring on new partners, you have a part in reducing risk. Ask smart questions. Share your concerns. Remember, cybersecurity is a priority for the entire business, not just IT.
A company’s security is only as strong as the people and businesses it works with!
You can’t control everything your vendors do—but you can make sure you ask the right questions, set the right rules, and stay involved.
Because at the end of the day, keeping your business safe is everyone’s job.
Eric Anderson is a New Hampshire-based technology executive who translates real business challenges—like compliance, risk, and operational inefficiency—into practical, scalable technology solutions for small to mid-sized businesses.
