Third-Party Vendors Caused 48% of Data Breaches Last Year — Is Your Business at Risk?

The Breach That Didn’t Come From You

The 2026 Verizon Data Breach Investigations Report (DBIR) just revealed something alarming: third-party vendors and supply chain partners now cause 48% of all data breaches—up 60% from the previous year.

Nearly half of all breaches don’t start with your systems. They start with someone you trust: your accountant’s software, your HVAC contractor’s remote access, your web designer’s admin credentials, your payroll provider’s cloud platform.

And most small businesses have no idea which vendors have access to their systems, what data those vendors can see, or whether those vendors are following basic security practices.

Here’s why vendor-related breaches are surging, which vendors pose the biggest risk, and how to audit and reduce third-party risk without becoming paranoid or alienating the partners you rely on.

The Numbers: Why Vendor-Related Breaches Are Exploding

2026 Verizon DBIR Key Findings

• Third-party supply chain breaches jumped 60% year-over-year
• Now account for 48% of all data breaches (nearly half)
• Mid-market vendors average 197 days to detect vulnerabilities, 60 days to remediate
• Attackers increasingly target vendors as easier entry points than hardened primary targets

Why the Surge?

1. More interconnected systems

Everything’s connected now: cloud platforms, SaaS tools, APIs linking systems together. Every connection is a potential entry point.

2. Weakest link strategy

Attackers go after vendors with weaker security instead of attacking you directly. Why try to breach your hardened defenses when they can compromise your contractor who has admin access?

3. Supply chain complexity

Most businesses use 10-50+ third-party vendors and lose track of who has access to what. That complexity creates blind spots.

4. Vendor security blind spots

You spent time and money hardening your own defenses, but you probably haven’t audited your vendors’ security practices.

The Vendor Breach Pattern

1. Attacker compromises vendor (accounting firm, IT contractor, software provider)
2. Uses vendor’s legitimate access to your systems to steal data or deploy ransomware
3. You never see it coming because the access looks legitimate—it’s your trusted vendor
4. By the time you discover the breach, damage is done

Why SMBs Overlook Vendor Risk (The Trust Problem)

You trust your vendors. That’s the problem.

Common SMB Vendor Relationships

Think about who has access to your systems right now:

• Your accountant has access to financial systems and sensitive financial data
• Your IT contractor has admin credentials to your Microsoft 365 tenant
• Your HVAC company has remote access to building controls (which are often on your network)
• Your web designer has admin access to your website and hosting account
• Your payroll provider has employee SSNs, bank accounts, and addresses
• Your cloud backup vendor stores literally everything
• Your bookkeeper has access to QuickBooks
• Your marketing agency has access to customer databases and email lists

Why You Don’t Think About Their Security

• “They’re professionals, they know what they’re doing” (maybe, maybe not)
• “We’ve worked with them for years” (trust doesn’t equal security)
• “They’re a reputable company” (big companies get breached too—remember Target’s 2013 HVAC contractor breach)
• “We need them to do their job” (true, but access should have proper controls)
• “Asking security questions might offend them” (if they’re offended by basic security questions, that’s a massive red flag)

The Uncomfortable Truth

Most SMBs can’t answer these basic questions:

• Which vendors currently have access to our systems?
• What level of access does each vendor have?
• When was the last time we reviewed and removed unnecessary vendor access?
• Do our vendors follow basic security practices (MFA, patching, backups)?
• What happens if one of our vendors gets breached?

If you can’t answer these questions confidently, you have a vendor risk problem.

Real Examples of Vendor-Caused Breaches

Example 1: Target (2013 — Pattern Still Relevant Today)

• HVAC contractor’s credentials were compromised by attackers
• Attackers used contractor’s legitimate access to move laterally into Target’s network
• 40 million credit cards stolen from point-of-sale systems
• Lesson: Physical vendors (HVAC, security, maintenance) often have network access you don’t think about

Example 2: Accounting Firm Ransomware (2025)

• Small accounting firm got hit with ransomware
• Firm had admin access to 50+ client Microsoft 365 tenants for tax prep work
• Attackers used firm’s access credentials to deploy ransomware across all client organizations
• Dozens of businesses impacted by one vendor compromise

Example 3: Web Designer Credentials (Ongoing Pattern)

• Freelance web designer using weak password with no MFA
• Credentials stolen via phishing email
• Attackers used designer’s WordPress admin access to install malware on client websites
• Client websites then used to distribute malware to their customers

Example 4: Cloud Backup Vendor Breach

• Backup service provider’s admin portal compromised
• Attackers accessed customer backups stored in the service
• Customer data stolen directly from “secure” backups—ironically, the very thing meant to protect against data loss

The Pattern

You hardened your defenses, trained your staff, implemented MFA. But your vendor didn’t. Attacker compromises the vendor, then uses the vendor’s legitimate access to reach your systems and data.

The Types of Vendors That Pose the Biggest Risk

1. IT Service Providers and MSPs

What they access:

• Admin access to your entire IT infrastructure
• Can see all your data, email, files, systems
• Often have remote access 24/7
• Privileged credentials for critical systems

Risk level: Critical. If compromised, attacker has keys to your entire kingdom.

2. Accounting and Bookkeeping Firms

What they access:

• Financial systems, bank accounts, tax records
• Often have privileged access to QuickBooks, ERP systems, payroll
• Store copies of sensitive financial documents
• May have credentials to multiple financial platforms

Risk level: High. Financial data theft, fraud potential, ransomware target.

3. Web Developers and Digital Agencies

What they access:

• Admin access to websites and content management systems
• Hosting account credentials
• Database access (often containing customer data)
• Domain registrar accounts

Risk level: High. Website defacement, malware distribution, domain hijacking.

4. SaaS Vendors (Software Providers)

What they access:

• Your data stored in their cloud platform
• You’re trusting their security entirely
• Often have integration access to other systems

Risk level: Varies by data sensitivity. If they get breached, your data gets breached.

5. Physical Vendors With Network Access

What they access:

• HVAC, security systems, building management systems
• Often have remote access for monitoring and maintenance
• Network connections you may not actively monitor
• Sometimes shared credentials across multiple client sites

Risk level: Medium to high. Network access can be leveraged for lateral movement.

6. Payroll and HR Platforms

What they access:

• Employee SSNs, dates of birth, addresses
• Bank account details for direct deposit
• W-2 and tax information

Risk level: High. Prime target for identity theft and fraud.

The common thread: They all have access to your systems or store your data, and you often have limited visibility into their security practices.

How to Audit Your Current Vendor Access (Step-by-Step)

Step 1: Create a Vendor Inventory

Make a spreadsheet with these columns:

• Vendor name and primary contact
• What service they provide
• What systems or data they access
• What level of access they have (read-only, user, admin)
• When access was granted
• When access was last reviewed
• Risk level (high, medium, low)

Start with these categories:

• IT services and contractors
• Accounting and bookkeeping
• Web hosting, domains, website management
• Cloud software (Microsoft 365, Salesforce, QuickBooks Online, etc.)
• Payroll and HR platforms
• Physical vendors with network or remote access
• Marketing and advertising agencies
• Legal services
• Cloud backup and disaster recovery

Step 2: Review Actual Access in Each System

Don’t trust your list—verify what access actually exists in each system.

Microsoft 365:

• Azure AD → Users → External users (look for vendor accounts)
• Azure AD → Roles and administrators → check who has Global Admin, Exchange Admin, SharePoint Admin
• Review guest user access and permissions

QuickBooks/Accounting software:

• Company → Users → Manage Users
• Review permission levels for each user
• Check for inactive users who still have access

Website/Hosting:

• WordPress/CMS → Users → list all accounts with admin privileges
• Hosting control panel (cPanel, Plesk) → check user accounts
• Domain registrar → verify who has account access

Cloud platforms (if applicable):

• AWS/Azure → IAM users and service accounts
• Check for overly broad permissions (full admin when read-only would work)
• Review API keys and service accounts (often forgotten and never expire)

Step 3: Identify Unnecessary or Excessive Access

Look for:

• Former contractors who still have admin accounts months or years after project completion
• Vendors who completed one-time projects but still retain ongoing access
• Service accounts with broader permissions than actually needed
• Shared accounts (multiple people using one login—terrible security practice)
• Vendors with admin access when user-level would be sufficient

Step 4: Document Findings and Create Remediation Plan

Categorize findings:

• Remove immediately: Old contractor accounts, completed projects, unnecessary access
• Downgrade permissions: Admin → standard user where possible
• Requires vendor security review: High-risk vendors before continuing access
• Acceptable as-is: Current vendors with appropriate access levels

Questions to Ask Your Vendors (The Security Audit Conversation)

When onboarding a new vendor or reviewing existing high-risk vendors, ask these questions:

Basic Security Practices

1. Do you require multi-factor authentication (MFA) for all accounts?
2. How often do you patch and update your systems?
3. Do you have endpoint security (antivirus/EDR) on all employee devices?
4. How do you handle security training for your employees?

Data Handling

5. What data of ours will you have access to?
6. Where and how will you store our data?
7. How is our data encrypted (in transit and at rest)?
8. Do you share or sell our data to third parties?

Incident Response

9. Have you experienced a security incident or breach in the past 3 years?
10. Do you have a documented incident response plan?
11. How quickly will you notify us if you experience a breach?
12. Do you have cyber insurance?

Access Management

13. How do you manage access to customer systems?
14. Do you use dedicated accounts per customer or shared credentials?
15. How do you offboard employees who leave your company?

Compliance and Certifications

16. What security certifications do you have (SOC 2, ISO 27001, etc.)?
17. Will you sign a Business Associate Agreement (for HIPAA) if needed?
18. Can you provide proof of compliance or security posture documentation?

Red Flags to Watch For

• Vendor gets defensive or offended by basic security questions
• “We’ve never been breached” (everyone’s been breached or will be—what matters is response)
• Can’t answer basic questions about their security practices
• Refuses to provide any security documentation
• Insists on admin access when read-only or user-level would work
• Uses shared accounts across multiple clients
• No MFA available or “we’ll add it later”

If they’re offended by basic security questions in 2026, that tells you everything you need to know about their security maturity.

Simple Steps to Reduce Third-Party Risk (Without Becoming Paranoid)

Step 1: Principle of Least Privilege

Only grant vendors the minimum access they need to do their job—nothing more.

• Web designer needs to update content? Give them Editor role, not Admin.
• Bookkeeper needs to see financial reports? Give read-only access, not full QuickBooks admin.
• IT contractor needs to troubleshoot an issue? Grant temporary admin access, revoke when task is complete.

Step 2: Use Separate Vendor Accounts (No Shared Logins)

Each vendor should get their own account with their company email address:

• contractor@theircompany.com gets access to your systems
• NOT admin@yourcompany.com shared across multiple vendors

Benefits:

• Clear audit trail (who did what)
• Easy to revoke access when relationship ends
• No shared credential risk

Step 3: Implement Time-Limited Access

For project-based vendors (web designer, consultant, one-time contractor):

1. Grant access at project start
2. Set calendar reminder to review access 30 days after project completion
3. Revoke access if no longer actively needed
4. Can always re-grant if they need to come back

Don’t let temporary project access become permanent forgotten access.

Step 4: Require MFA for All Vendor Access

No exceptions. If a vendor can’t or won’t use multi-factor authentication, they shouldn’t have access to your systems in 2026.

Modern platforms support MFA enforcement:

• Microsoft 365 → Conditional Access policies (require MFA for all external users)
• Google Workspace → 2-Step Verification enforcement
• QuickBooks Online, Salesforce, and most SaaS platforms support MFA

Step 5: Review Vendor Access Quarterly

Set recurring calendar reminder every 3 months:

• Review vendor access list across all systems
• Remove inactive accounts
• Verify current vendors still need their current access level
• Document review completion

Takes 30-60 minutes per quarter. Small investment for significant risk reduction.

Step 6: Add Vendor Security Requirements to Contracts

Include basic security requirements in vendor service agreements:

• Vendor must use multi-factor authentication for all access
• Vendor must notify client within 24 hours of any security incident
• Vendor must maintain current security patches and updates
• Client reserves right to revoke access immediately for security violations
• Vendor must comply with client’s data handling and retention policies

Having it in the contract gives you leverage and sets expectations clearly.

Step 7: Monitor for Suspicious Activity

Watch for unusual vendor activity patterns:

• Vendor logging in from unexpected country or geographic location
• Vendor accessing systems outside their normal business hours
• Large data downloads or exports that seem unusual
• Changes to critical settings or permissions
• Failed login attempts (possible credential compromise)

Most platforms have audit logs. Review them occasionally, especially for high-risk vendors.

Step 8: Have a Vendor Offboarding Process

When ending a vendor relationship:

1. Revoke access to all systems immediately
2. Change any passwords the vendor knew
3. Remove their accounts from all platforms
4. Verify data deletion if they stored your data
5. Update vendor inventory spreadsheet
6. Document offboarding completion

Don’t let former vendors retain access indefinitely “just in case.”

The Realistic Approach: Security Without Paranoia

You Don’t Need To:

• Interrogate every vendor like they’re a criminal suspect
• Run full security audits on your local plumber who has no system access
• Spend hours every week on vendor risk management if you’re a 5-person company
• Refuse to work with any vendor who can’t produce SOC 2 certification

You Do Need To:

• Know which vendors currently have access to what systems
• Ask basic security questions for vendors with sensitive access
• Remove unnecessary access regularly
• Require MFA for anyone with admin privileges
• Have a process for granting and revoking access

Risk-Based Approach

High-risk vendors (IT services, accounting, payroll, SaaS platforms storing your data):

• Full security questionnaire
• Review security documentation and certifications
• Contract clauses about security requirements and breach notification
• Quarterly access reviews
• Active monitoring of their activity

Medium-risk vendors (web designer, marketing agency, consultants with limited system access):

• Basic security questions (MFA, patching, incident response capabilities)
• Least privilege access enforced
• Review access every 6 months
• Contract security clauses

Low-risk vendors (no system access, no access to sensitive data):

• Standard contract terms
• No special security requirements needed
• Focus your energy on higher-risk relationships

What to Do If a Vendor Gets Breached

When you learn a vendor was compromised, act quickly.

Immediate Actions (First 24 Hours)

1. Revoke vendor’s access to all your systems immediately (you can restore later if appropriate)
2. Change passwords that vendor knew or had access to
3. Review audit logs for vendor activity during the suspected breach timeframe
4. Check for unauthorized changes — new user accounts, settings modifications, large data exports
5. Alert your team to watch for suspicious activity

Investigation Phase (24-72 Hours)

6. Contact vendor: What happened? What data was accessed? What systems were compromised? What’s their remediation plan?
7. Review your own systems for signs of compromise or lateral movement
8. Determine data impact: Was your data accessed, copied, or modified?
9. Engage your IT provider or MSP for forensic review if needed

Remediation Phase (Ongoing)

10. Decide on relationship continuation: Can you trust their security going forward? What improvements are required?
11. If continuing relationship: What specific security improvements must be implemented before restoring access?
12. If terminating relationship: Complete offboarding process, find replacement vendor, migrate data
13. Document incident: What happened, what you did, lessons learned

Notification Obligations

14. Determine if you have legal notification obligations (HIPAA, state breach laws, contractual obligations)
15. Notify affected parties if your customer or employee data was impacted
16. Consult legal counsel if significant data exposure occurred

Vendor Risk Assessment: Questions to Ask Yourself

Before granting any vendor access, answer these questions:

1. Does this vendor really need access, or can we do this manually or internally?
2. What’s the minimum access level that works? (read-only, user, or admin?)
3. What data will they be able to see or access?
4. What’s the risk if this vendor gets compromised?
5. Have we asked basic security questions?
6. Will we remember to review or revoke this access later?
7. Is there a less risky alternative? (different tool, different approach?)

If you can’t confidently answer these questions, don’t grant access yet. Take time to think it through.

The Bottom Line

Third-party vendors caused 48% of data breaches last year—a 60% increase from the previous year. That trend is accelerating, not reversing.

Attackers understand that:

• Vendors have legitimate access to your systems
• Vendors often have weaker security than their clients
• Compromising one vendor can give access to dozens or hundreds of clients
• Vendor access often goes unmonitored and unreviewed for years

You can’t eliminate vendor risk (you need vendors to operate your business), but you can manage it effectively.

Basic Vendor Risk Management

1. Know which vendors have access to what systems
2. Grant minimum necessary access (least privilege)
3. Ask basic security questions for high-risk vendors
4. Require MFA for all admin access without exception
5. Review and remove unnecessary access quarterly
6. Have vendor onboarding and offboarding processes
7. Monitor for suspicious vendor activity

This isn’t paranoia or excessive overhead—it’s basic security hygiene in 2026 when nearly half of all breaches come through vendor relationships you thought you could trust.

Start with a vendor inventory. You can’t manage risk you don’t know exists.

Need Help Auditing Your Vendor Access and Third-Party Risk?

Figuring out which vendors have access to your systems, evaluating which vendors pose real security risk, implementing access controls without disrupting operations, and creating sustainable vendor risk management processes—that’s where most businesses get stuck.

At Castle Rock Sky, we help Denver metro businesses audit vendor access, implement practical third-party risk management, and reduce exposure to vendor-caused breaches without creating excessive overhead.

We can:

• Vendor access audit — comprehensive inventory of who has access to what across all your systems (Microsoft 365, QuickBooks, websites, cloud platforms, network access)
• Risk assessment — evaluate which vendors pose real security risk and prioritize remediation efforts
• Access remediation — clean up excessive permissions, remove inactive accounts, implement least privilege access controls
• Vendor security policies — develop practical, sustainable vendor onboarding, access management, and offboarding procedures
• MFA enforcement — implement multi-factor authentication requirements for all vendor access
• Ongoing monitoring — set up quarterly vendor access reviews, audit log monitoring, and alerts for suspicious activity
• Vendor questionnaires — provide templates and guidance for security discussions with high-risk vendors

Don’t wait until a vendor breach impacts your business. Nearly half of all breaches in 2026 started with a third party—make sure your vendors aren’t the weak link that compromises your security.

Schedule a vendor risk assessment