For most of cybersecurity’s history, defending an organization meant defending its perimeter: harden the network edge, control what comes in and goes out, and keep the bad actors on the outside. That model has quietly collapsed. The modern enterprise doesn’t operate inside a perimeter, it operates inside an ecosystem of vendors, SaaS platforms, cloud providers, software dependencies, and service partners. Each one is connected, trusted, and authenticated. Your attack surface is no longer just what you own. It’s everyone you’re connected to.
Attackers have noticed. The single most important shift in the threat landscape over the past two years isn’t a new piece of malware or a clever exploit, it’s a change in where the breach starts. Increasingly, it starts with someone else.
The shift is not subtle
The numbers tell a clear story. Verizon’s 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled in a single year, from 15% to 30%. This is the largest single-year jump in the report’s history and early 2026 figures show the trend climbing further, approaching half of all breaches. IBM’s X-Force team puts the longer arc in perspective: major supply chain compromises have nearly quadrupled since 2020.
These are also the breaches you least want. According to IBM’s research, a supply chain compromise costs roughly $4.9 million on average, the highest of any breach type, and takes around 267 days to identify and contain, the longest lifecycle of any attack vector tracked. When the breach comes through a trusted vendor, alerts fire later, scoping is harder, and the cleanup takes longer.
Why it works: trust is the vulnerability
The mechanics are almost elegant in their simplicity.
Attackers don’t need to break your perimeter when a trusted vendor has already connected to it.
A compromised supplier’s credentials, or a malicious update to software you’ve already approved, carries the same authentication weight as your own systems. The defenses built to catch an outside intruder don’t trigger, because, as far as your environment is concerned, this isn’t an outsider. The canonical examples are now part of the security vocabulary: the SolarWinds compromise, where a poisoned software update reached thousands of downstream customers, and the MOVEit file-transfer breaches, which cascaded across hundreds of organizations through a single product flaw.
The pattern keeps repeating in new forms. Recent incidents have seen attackers steal OAuth tokens from a marketing automation vendor and use them to quietly reach the connected Salesforce environments of that vendor’s customers. No password cracking required, just abuse of a trust relationship that was already in place. IBM found that 44% of zero-day attacks in 2025 targeted managed file-transfer systems, precisely the infrastructure organizations use to exchange data with their vendors and partners. Attackers are deliberately aiming at the connective tissue between companies.
The blast radius keeps growing
A third-party compromise doesn’t stay contained, and that’s what makes it a leadership level concern rather than an IT footnote. Research found that in 2025, each vendor breach publicly compromised an average of 5.28 downstream companies. The modern supply chain no longer breaks at its weakest link, but at its most connected one.
Worse, you may not find out for months. The same research measured an average of 117 days between a breach being detected and being publicly disclosed. This is known as the “silent window” during which downstream victims remain exposed without knowing it. Layer on the reality that vast numbers of organizations depend on the same handful of cloud platforms, CRM systems, and managed service providers and a single well-placed compromise becomes a systemic event affecting an entire sector at once.
There’s a software dimension to this as well. The open-source code woven into nearly every modern application is itself a supply chain. Researchers counted more than 454,600 new malicious open-source packages in 2025, a roughly 75% jump year over year. And the timing has inverted: 2026 research found attackers exploiting vulnerabilities an average of seven days before public disclosure, meaning your vendors can be exposed before a fix even exists.
This is everyone’s problem, across every sector
It’s tempting to read “supply chain” and picture manufacturers and perhaps specific firms. However, the exposure is universal, because the defining question isn’t what industry you’re in, it’s how many outside parties touch your data and operations. For the average enterprise, that number now runs into the hundreds or thousands.
Hospitals depend on third-party billing, imaging, and electronic health record providers. Financial firms rely on data aggregators, payment processors, and cloud cores. Manufacturers run on interconnected supplier networks and operational technology vendors. Recent disruptions to automakers, critical infrastructure, and major airports all traced back to compromises at a partner or supplier, not the victim organization itself. If you depend on someone else’s software, infrastructure, or service to operate—and every organization does—you have third-party risk.
The honest part: a questionnaire is not assurance
Here’s the uncomfortable gap at the center of the problem: a recent industry survey captured what’s been called the confidence paradox: roughly 90% of leaders said they were confident their business could keep operating through a vendor breach, even as 86% reported deep concern about supply chain risk. Both things can’t be fully true. The confidence tends to rest on programs that look reassuring on paper but don’t reflect how attacks actually unfold.
The clearest example is the annual vendor questionnaire. A completed questionnaire confirms that a form was filled out on a particular day, not that the vendor is secure today, next quarter, or at the moment they’re breached. Assurance at a point in time simply doesn’t match the real time, continuously shifting threat. This is also why regulators have moved: the EU’s Digital Operational Resilience Act (DORA) now imposes detailed third-party risk obligations on financial entities, NIST’s Cybersecurity Framework 2.0 elevated supply chain risk management to a named governance outcome, and U.S. disclosure rules increasingly expect boards to oversee third-party cyber risk directly. The expectation has shifted from “do you have a process” to “can you see your exposure in real time?”
What a credible program looks like
The good news is that third-party risk is manageable with discipline rather than a single purchase. A practical program rests on six pillars:
- Inventory and tier your vendors. You cannot manage what you cannot see. Build a complete inventory of third parties and rank them by the access they hold to sensitive data and critical operations, and by how hard they’d be to replace. Your attention should concentrate on the vendors who could actually hurt you, not be spread evenly across all of them.
- Put security requirements in the contract. Define minimum security standards, breach notification timelines, audit rights, and exit terms before you sign. The contract is your strongest point of leverage, and it disappears once the relationship is underway.
- Move from point-in-time to continuous monitoring. Supplement periodic assessments with ongoing visibility, tracking security ratings, control changes, and incident signals, so you learn about a vendor’s deterioration before it becomes your breach. An annual questionnaire is now a baseline gap, not a baseline control.
- Map concentration and fourth-party risk. Identify the central nodes whose failure would cascade across your operation, and understand your vendors’ vendors, the sub-processors and dependencies you don’t contract with directly but still rely on.
- Know your software bill of materials. For the software you build and buy, maintain visibility into open-source and third-party components (an SBOM) so that when the next widely used library is found vulnerable, you can answer “are we affected?” in hours, not weeks.
- Plan for the incident and the exit. Assume a vendor will be compromised, and rehearse it: who is notified, what you isolate, how you keep operating. Pair that with an exit plan for critical vendors. This is the single most neglected step in most programs, and the one that determines whether a vendor failure is an inconvenience or a crisis.
The bottom line
The perimeter you control is now a small part of the attack surface for which you’re responsible. Third-party and supply chain compromise has become the dominant intrusion pattern precisely because it turns trust into the path of least resistance. The organizations that handle this well aren’t the ones with the most vendors or the fewest; they’re the ones who can answer three questions at any moment: Who has access to what? How would we know if one of them were compromised? And what would we do next?
Most organizations cannot answer those three questions today. That gap is the work.
LRS Security Solutions helps organizations build and mature third-party risk management programs, from vendor inventories and risk tiered assessments to continuous monitoring and incident readiness. If you’d like to talk through where your program stands, contact us here.