Cyber resilience is a shared responsibility, argues Richard Ford, Chief Technology Officer at Integrity360, a cyber security and payments compliance firm.
As cyber threats continue to grow in sophistication and scale, organisations are facing a sobering reality: even the most robust internal security measures can be rendered ineffective by weaknesses in their third-party ecosystem. Recent research reveals that 98pc of Europe’s top 100 companies have faced third-party breaches over the past year. With suppliers, service providers, contractors, and cloud platforms now deeply embedded in everyday business operations, managing third-party risk is no longer optional – it’s a strategic necessity.
Why third-party risk is often overlooked
Despite its critical importance, third-party risk remains one of the most underestimated areas in cybersecurity. Too many organisations still operate under the belief that if their internal systems are strong, they’re safe. So, budgets and bandwidth get spent hardening their own defences -endpoint protection, network segmentation, employee training – while overlooking the fact that today’s digital perimeter now extends far beyond their own infrastructure. This oversight can be costly.
These breaches often stem from inadequate vetting, poor visibility into vendor security practices, and a lack of continuous monitoring. The assumption that external partners maintain the same level of cybersecurity maturity is a dangerous one – and attackers know it.
The business impact: real-world consequences of supply chain breaches
Third-party breaches can have devastating consequences, ranging from operational disruption to reputational damage and regulatory penalties. One of the most notable examples is the Target data breach, where attackers gained access to customer data through a compromised HVAC vendor. The incident cost the company over $200 million and led to a significant loss of consumer trust.
More recently, at least one of the highly impactful retail breaches had originated from a third-party provider. These incidents underscore a troubling trend: attackers are increasingly targeting the supply chain as a means to bypass hardened defences and gain access to sensitive data. These aren’t just PR headaches – they can cause irreversible damage to an organisation.
In the financial sector, the stakes are even higher. With financial entities increasingly reliant upon on external technology and data service providers, Digital Operational Resilience Act (DORA) mandates a robust framework to ensure these partnerships do not become weak links in the cyber resilience chain. Under DORA, financial institutions must carry out comprehensive due diligence before entering into agreements with third-party service providers. This includes assessing the provider’s operational resilience, cybersecurity protocols, and incident response capabilities. Once onboarded, these relationships are governed by stringent contractual obligations that clearly define responsibilities, reporting lines, access rights, and termination clauses – all with a focus on maintaining business continuity and data protection.
Best practices: building a robust third-party risk management framework
Managing third-party risk is no longer about ticking a box. To effectively manage third-party risk, organisations must adopt a proactive, intelligence-led approach that spans the entire third-party lifecycle. Best practices across the third-party lifecycle should include:
Due diligence and onboarding: Before entering into any agreement, organisations should conduct a comprehensive assessment of the third parties cyber security posture. This includes evaluating their incident response capabilities, data protection measures, and compliance with relevant regulations.
Contractual safeguards: Ensure contracts clearly define roles, responsibilities, access rights, and termination clauses. Include provisions for regular audits, breach notification timelines, and data handling protocols.
Continuous monitoring: Third-party risk doesn’t end at onboarding. Implement tools and processes to continuously monitor vendor performance, detect anomalies, and respond to emerging threats in real time.
Risk tiering and prioritisation: Not all third parties pose the same level of risk. Categorise vendors based on the sensitivity of the data they handle and the criticality of the services they provide. Focus resources on high-risk relationships.
Incident response integration: Ensure third parties are integrated into your incident response plans. In the event of a breach, coordinated action is essential to contain damage and maintain business continuity.
The goal is to build a living, breathing third-party risk management (TPRM) program that adapts to threats, enforces accountability, and supports the business as it scales.
TPRM is no longer a back-office function – it’s a boardroom priority. Ultimately, the value of managing third-party risk goes beyond protection. It’s about enabling confidence in your digital ecosystem. As cyber threats continue to exploit supply chain vulnerabilities, organisations must shift from reactive, compliance-driven models to proactive, intelligence-led strategies.
When done well, TPRM strengthens business continuity, safeguards brand reputation, and ensures compliance with tightening regulations. It also improves collaboration between security, procurement, legal, and operations teams – ensuring that cybersecurity becomes part of business-as-usual, not a roadblock to innovation.
Building a cyber-resilient supply chain isn’t just about technology. It’s a cultural shift. It means setting expectations with suppliers, investing in shared resilience, and recognising that trust must be earned and verified continuously.
