AI & Policy

My Company Got Hacked Through Our Vendor: A CISO’s Guide to Third-Party Risk

- by Ansari Alfaiz

By a Chief Information Security Officer (CISO) who survived a major third-party breach.

An illustration of a company's secure digital fortress with a broken link in its supply chain, representing the critical danger of third-party cyber risk.

CRISIS OPENING: March 18, 2025, 6:47 AM. My phone rang. Our managed IT service provider—the company that handled our entire network—had been breached. By 7:15 AM, I learned that attackers had used their privileged access to deploy ransomware across 47 of their clients, including us. We weren’t hacked because our security was weak. We were hacked because theirs was. This is the third-party cyber risk crisis, and it’s why 29% of all data breaches now start with a vendor. If you work with contractors, cloud providers, or software vendors (and you do), this is your wake-up call. Here’s what happened to us, and the framework that prevents it from happening to you.

What Is Third-Party Cyber Risk?

In the simplest terms, third-party cyber risk is the security threat posed by any external organization that has access to your systems, data, or networks. This includes your cloud provider (like AWS or Azure), your payroll processor (like ADP), your marketing software (like HubSpot), and even the small IT shop that manages your office Wi-Fi.

Why is this risk exploding in 2025?

  • Digital Transformation: The move to the cloud means that critical business functions are no longer inside your own four walls. With 85% of companies now using cloud services, your data is spread across dozens of vendors.
  • Interconnected Systems: Modern businesses are ecosystems. Your payment processor connects to your CRM, which connects to your email marketing tool. A breach in one can create a domino effect.
  • Attacker Economics: Why spend months trying to hack one well-defended company when you can hack their less-secure managed service provider (MSP) and get access to 50 clients at once? Attackers are exploiting the path of least resistance, and that path often runs through your supply chain.

The numbers from October 2025 are staggering. A recent report from SecurityScorecard confirmed that nearly a third of all breaches (29%) originate from third parties. Even more alarming, an AHA Cybersecurity Review found that 80% of stolen credentials that led to healthcare breaches came from compromised vendor accounts. This is compounded by a massive resource gap: a staggering 73% of companies have only two or fewer people assigned to manage the security of over 300 vendors. It’s an unsustainable and dangerous situation.

Risk TypeWhat It MeansReal Example (2025)
Operational RiskA vendor outage disrupts YOUR business operations.The massive CrowdStrike outage in July 2025 grounded flights and halted production lines globally.
Cyber RiskA breach at your vendor exposes YOUR data.The Change Healthcare breach, where a vendor compromise led to the exposure of 190 million patient records.
Compliance RiskYour vendor’s non-compliance results in YOUR fine.A company being fined under GDPR because their data processor mishandled user data.
Reputational RiskA scandal at your vendor damages YOUR brand’s image.A fashion brand facing backlash after their third-party manufacturer was exposed for unethical labor practices.

The Breach That Changed Everything (Our Story)

To make this real, I’m going to share the anonymized timeline of our vendor-induced breach. This is what it looks like when third-party risk becomes a third-party disaster.

Timeline: March 18, 2025

6:47 AM: The Call
I was on my way to the gym when our managed IT provider (let’s call them “TechSupport Co”) called. Their on-call engineer sounded panicked. He said they had detected ransomware activity across their client base. We later learned the attackers had been inside their network for 11 days, silently mapping out their access and stealing admin credentials.

7:15 AM: Impact Assessment
The picture became clearer and grimmer. The attackers had used TechSupport Co’s own remote management tools to pivot into their clients’ networks. A total of 47 of their clients, including our mid-sized manufacturing company, were hit simultaneously. Our file servers were encrypted, our databases were locked, and our production line systems were offline. The ransom demand was $2.3 million, directed at TechSupport Co, not us individually. But that didn’t matter—we were dead in the water.

8:30 AM: Emergency Response
We immediately severed all network connections to TechSupport Co. This included VPN tunnels and API keys. We activated our internal team, following the steps in our Incident Response Framework Guide. Our next calls were to our cyber insurance carrier and our legal counsel.

Day 2-7: The Painful Recovery
We made the hard call not to trust anything TechSupport Co had touched. This meant we had to rebuild our core network infrastructure from scratch. Fortunately, we had followed a robust backup strategy, including offline, air-gapped copies. This was our saving grace. We restored our systems from these trusted backups, a process detailed in our Complete Ransomware Survival Guide.

The forensic investigation revealed the devastatingly simple root cause: TechSupport Co did not have multi-factor authentication (MFA) enabled on their domain administrator accounts. An attacker had phished one of their engineers and gained the keys to their entire kingdom.

Total Damage:

  • Downtime: 6 business days
  • Direct Costs: $480,000 (forensics, legal fees, overtime, and the cost of rebuilding servers)
  • Ransom Paid: $0 (because we had working, offline backups)
  • Vendor Relationship: Terminated (obviously)

The Worst Part: We had asked TechSupport Co about their security. During the vetting process, they sent us a SOC 2 report from 2023. We didn’t check the date. We didn’t verify if it was still valid. We didn’t perform our own audit. We trusted a two-year-old piece of paper, and it cost us dearly.

The 4 Types of Third-Party Cyber Risk

Our breach was a “Direct Access” risk, but there are four main categories you need to understand.

Risk #1: Direct Access Risk
This is when a vendor has a direct line into your network, like a VPN or remote admin tool. This is the highest-risk category.

  • Example: Managed Service Providers (MSPs), IT support consultants, cloud hosting providers.
  • Mitigation: Enforce a zero-trust architecture. Grant just-in-time, temporary access instead of “always-on” connections. Learn more in our Secure Remote Work Guide.

Risk #2: Data Processing Risk
This is when a vendor stores, processes, or handles your sensitive data, but doesn’t necessarily have access to your core network.

  • Example: Payroll providers, CRMs like Salesforce, and email marketing platforms.
  • Mitigation: Data encryption (at rest and in transit), strong contractual liability clauses, and a clear understanding of their security posture, which we cover in our Salesforce Data Exfiltration Defense Guide.

Risk #3: Software Supply Chain Risk
This risk comes from the code and components within the software you buy. A vulnerability in a widely used library can affect thousands of companies at once.

  • Example: The SolarWinds breach (2020) and the Log4j vulnerability (2021).
  • Mitigation: Require a Software Bill of Materials (SBOM) from your vendors so you know what components are in their products. Then, use continuous monitoring to check for flaws. This is a core part of our Guide to Fixing Unpatched Vulnerabilities.

Risk #4: Fourth-Party Risk
This is the risk posed by your vendor’s vendors. You might not even know these companies exist, but a breach at their level can still affect you.

  • Example: Your cloud provider uses a third-party data backup service. If that backup service is breached, your data could be exposed.
  • Mitigation: Your vendor questionnaire must include the question: “Who are your critical vendors, and how do you manage their security?”

The TPRM Framework: A CISO’s Guide to Vendor Assessment

After our breach, we built a Third-Party Risk Management (TPRM) framework from the ground up. Here are the actionable steps.

Step 1: Vendor Classification (Assess Criticality)

Not all vendors are created equal. Classify them into tiers to focus your resources where the risk is highest.

TierDefinitionAssessment FrequencyExample
CriticalHas direct access to systems or highly sensitive data.QuarterlyCloud provider, Payroll, MSP
HighProcesses sensitive data but has limited system access.Semi-annuallyEmail marketing, CRM
MediumMinimal data interaction, no system access.AnnuallyOffice supply vendor
LowNo data access, no system access.Initial vetting onlyEvent catering service

Step 2: Initial Due Diligence (The 12 Questions You MUST Ask Before Signing)

This is where we failed. Don’t make our mistake. Before you sign any contract, get satisfactory answers to these questions:

  1. Do you have a current SOC 2 Type II certification? (Action: Ask to see the report and check the date.)
  2. When was your last third-party penetration test? (Action: Request the executive summary.)
  3. Do you enforce Multi-Factor Authentication (MFA) for all administrative accounts? (Non-negotiable.)
  4. What is your Incident Response Plan? (Action: Ask to review their plan.)
  5. What is your cyber insurance coverage? (Look for at least $5-10 million in coverage for critical vendors.)
  6. Have you suffered a data breach in the last 3 years? (If yes, what changed as a result?)
  7. Do you encrypt our data at rest and in transit?
  8. What specific access will you require to our systems? (Document everything.)
  9. Who are your critical vendors (our fourth-party risk)?
  10. What is your data retention and deletion policy upon contract termination?
  11. Are you compliant with regulations relevant to our business (e.g., GDPR, HIPAA, PCI-DSS)?
  12. Will you sign our security addendum, which includes a 24-hour breach notification clause?

Step 3: Continuous Monitoring (The 2025 Best Practice)

The old method of sending an annual questionnaire is dead. Security posture changes daily. A recent SecurityScorecard report emphasized that AI-driven, continuous monitoring is now essential.

  • Automated Security Ratings: Use tools like SecurityScorecard, BitSight, or UpGuard. These platforms continuously scan your vendors’ external security posture and give them a letter grade (A-F), just like a credit score.
  • Real-Time Alerts: Configure these tools to send you an alert if a critical vendor’s security score suddenly drops, or if a new, severe vulnerability is discovered on their network.
  • Dark Web Monitoring: These services can also monitor the dark web for leaked credentials associated with your vendors. This is critical for preventing breaches caused by tools like Infostealer Malware.

What to Do When Your Vendor Gets Breached (The 6-Hour Playbook)

When you get that dreaded call, panic is not an option. You need a playbook.

Hour 1: Assess & Contain

  • Immediately sever all connections to the vendor. This includes VPNs, APIs, and any remote access. Assume you are compromised until proven otherwise.
  • Activate your internal incident response team.

Hour 2-3: Investigation

  • What data did the vendor have? What systems could they access?
  • Were any passwords or credentials shared between your organizations? (A reason to enforce our Password Security Guide).
  • Check all logs for suspicious activity originating from the vendor’s IP addresses or accounts.

Hour 3-4: Notifications

  • Engage your legal counsel to determine notification obligations.
  • Notify your cyber insurance carrier immediately.
  • Notify regulatory bodies if required by laws like the SEC Cyber Rules or GDPR.

Hour 4-6: Remediation

  • Reset all credentials the vendor had access to.
  • Patch any systems the vendor managed.
  • Review all firewall rules and network configurations they might have touched.

This is a high-level overview. For a detailed checklist, use our complete Incident Response Framework Guide.

The 2025 Compliance Landscape

As of October 2025, regulators are cracking down on third-party risk. You are no longer just responsible for your own security; you are responsible for your vendors’ security as well.

NIS2 Directive (EU):

  • Applies to critical infrastructure and major digital service providers.
  • Mandates formal vendor risk assessments and supply chain security policies.
  • Requires notification of significant incidents within 24 hours.

DORA (Digital Operational Resilience Act – EU):

  • Specifically targets the financial sector.
  • Requires firms to map their third-party dependencies and test their resilience.
  • Mandates specific contractual provisions for vendor security.

SEC Cyber Rules (US):

  • Requires public companies to disclose material cyber incidents (including those from third parties) within four business days.
  • Demands disclosure of the company’s processes for assessing and managing cybersecurity risks, including from vendors.

These regulations, discussed in a recent HelpNetSecurity video, mean that having a TPRM program is no longer a best practice—it’s a legal requirement. Mismanaging a vendor like your M365 provider could lead to a major M365 Misconfiguration Kill Chain.

Conclusion

Six months after our vendor breach, we’ve rebuilt everything. We have a new IT provider, ironclad contracts, and a new way of thinking. We now continuously assess our 340 vendors using an automated security ratings platform. The cost is about $18,000 per year. That’s less than 4% of what the breach cost us in one week.

Third-party cyber risk isn’t a theoretical exercise for a compliance team. It is the #1 attack vector in 2025. It’s the unlocked back door to your organization. Every company is only as secure as its weakest supplier. If you don’t know which vendors have access to what data, you are already dangerously behind. Start asking the tough questions today. Your company’s survival could depend on it.

About Ansari Alfaiz

View all posts by Ansari Alfaiz →