Vendors and Your Risk Management

Your Biggest IT Risk May Not Be Inside Your Business

When business owners think cybersecurity, they usually associate it with locking down their own systems and network: tools, policies, practices, and procedures that reduce cyber risk.  Obviously, those things are crucial…but they miss where a growing percentage of real-world problems are coming from:  your partners.   

Because the data is pretty clear at this point: 

• Nearly 44% of businesses have experienced a data breach caused by a third party in the past year (https://wifitalents.com/third-party-data-breach-statistics/) 

• More than one-third of breaches are tied to third-party access or vulnerabilities (https://www.digit.fyi/third-party-breach-report/) 

That’s a significant pattern, and it leads to a conclusion that most small and mid-sized businesses aren’t quite ready to accept: You’re not just managing your own risk anymore. You’re inheriting the risk of every vendor, partner, and “trusted expert” you rely on and work with. 

Which would be concerning enough if the only vendors we were only talking about were large software companies and cloud providers. But for most SMBs, the more immediate (and often more dangerous) risk sits much closer to home.  

When “That Guy” Becomes the Single Point of Failure

Consider a VERY COMMON story of how businesses become our clients.  Before coming to us, a business had been using the same IT guy for years. He was cheap, familiar, and seemed generally able to keep things running. 

Seemingly small issues began to creep in: systems slowing down, odd behavior from servers, the occasional unexplained hiccups. Nothing that appeared catastrophic, but just enough friction to be annoying. The kind of thing most businesses shrug off because “that’s just how IT is sometimes.” But those small blips weren’t random. They were early warning signs. 

When we finally got visibility into the environment, what we found wasn’t a clean, stable system that needed a few tweaks.  It was what we call a “hobby IT farm.” The setup was non-standard, overly complicated, and held together by a series of fragile dependencies that only made sense to the person who built it. 

There was no meaningful documentation. No clear structure. No redundancy. And perhaps most concerning of all, there were no reliable backups. Everything—the business’s operations, data, and ability to function—was effectively riding on one person’s memory and a collection of systems that had no business being in production. It worked, in the same way a leaning tower “works” right up until the moment it doesn’t. 

Had they waited even a couple more weeks, there’s a very real chance the entire system would have failed. Not slowed down. Not glitched. Failed. At that point, recovery wouldn’t have been a matter of inconvenience.  It would have been a scramble, with no guarantees that everything could be restored. 

What makes this situation particularly dangerous is that it didn’t feel dangerous. From the client’s perspective, they had a trusted partner, things were mostly working, and there was no obvious reason to question it. 

And that’s exactly why it’s so common. 

When the Vendor Becomes the Problem

If that story sounds uncomfortable, it should. But it gets worse, because sometimes the risk isn’t just poor design or lack of oversight.  Sometimes it’s something completely outside your control. 

Consider a medical practice we have worked with.  They were using a third-party EMR vendor that marketed itself as HIPAA-compliant. Everything appeared to be in order, and like most organizations in their position, they trusted that the system handling their most sensitive data was being managed properly. 

Until the vendor got hacked….and stopped responding to the business altogether! 

Inside the practice, the impact was immediate and severe. Systems became inaccessible, staff couldn’t retrieve the information they needed, and billing operations came to a halt. At the same time, they were forced to deal with the fallout of a data breach, including notifying patients and navigating the legal implications. What started as an IT issue quickly escalated into a legal, financial, and reputational crisis. 

And then came the final blow: the vendor failed to provide the backup data they were supposed to maintain. The system that was meant to safeguard patient information became the single point of failure that nearly brought the entire operation to a standstill. 

The Common Thread

These two situations look different on the surface) one is a “trusted IT guy,” the other a third-party software vendor) but the underlying issue is exactly the same. In both cases, the business outsourced critical responsibility without having visibility into how that responsibility was being handled. And in both cases, that lack of visibility turned into risk. 

This is where a lot of businesses get tripped up. Trust is treated as a substitute for verification, and familiarity is mistaken for stability. But systems don’t care how long you’ve worked with someone or how confident they sound when they say, “it’s handled.” 

What You Can Do About It

You don’t have time to become a cybersecurity expert.  But you don’t need to become one to protect your business.  However, you do need to stop operating on assumptions. A few practical steps go a long way: 

1. Get independent visibility into your environment

Even if you trust your current IT partner or vendor, you should still have a clear, documented understanding of how your systems are structured, where your data lives, and how it’s protected. If no one can explain that in plain terms, that’s a problem. 

• “Can you walk me through, in plain English, how our systems are set up?”  

• “Where does our critical data live right now?”  

• “If you disappeared tomorrow, what documentation exists so someone else could step in?”

 

2. Verify backups

Backups are one of those things everyone assumes are in place until they aren’t. Ask where they are, how often they run, and when they were last tested. A backup that hasn’t been tested is just a theory. 

• “Where are our backups stored, and are they separate from our main systems?”  

• “How often are backups run, and how far back can we restore?”  

• “When was the last time you successfully tested a full restore?”

 

3. Treat vendors and partners as part of your risk surface

If a third party has access to your systems or data, their security posture matters just as much as yours. That doesn’t mean you need to audit everything, but it does mean asking better questions and expecting better answers. 

• “What access do you (or your company) have to our systems and data?”  

• “What security measures are in place on your side to protect that access?”  

• “If something goes wrong on your end, how and when would we be notified?” 

 

These aren’t failsafe questions.  There are no failsafe questions.  But what you are looking for is conscious attention to the cyber risk problem. If the partner doesn’t have any answers to these, or treats them nonchalantly, or offers broad generalities, that should be a red flag.  You want clear and specific answers that make sense in normal English (not jargon). 

Most businesses don’t get taken down by a single dramatic failure. Instead, it’s a slow build of unseen risk: quiet decisions, trusted relationships, and systems that “mostly work” until, suddenly, they don’t. 

Conclusion 

To sum up, your cyber risk isn’t just about you.  It’s about everyone you do business with (and vice versa – their cybersecurity depends on you, too).  Exercise some due diligence when you engage a partner or vendor to make sure they aren’t bringing risk to the relationship.