How Attackers Use Third Parties and Vendors

In 2013, Target's HVAC vendor had credentials stolen. That vendor connected to Target's network for electronic billing. Attackers used those credentials to get into the vendor's system, then walked through into Target's network. From there, they found the POS systems, installed malware, and walked out with 40 million credit card numbers.

Target spent $202 million in settlements and aftermath costs. The HVAC vendor is still in business.

Your business isn't Target. But you probably have vendors with access to your systems right now—your accounting software, your point-of-sale provider, the company that manages your phones, the IT vendor with remote access to your network. Each one is a potential entry point.

Why vendors are a target

Attackers have gotten wise to a simple truth: the big company has good security, but the small vendor they trust doesn't. You might have excellent passwords, MFA on everything, and locked-down systems. But the company that does your quarterly payroll taxes? The local IT firm that manages your network? The restaurant supply company you order from weekly?

They might have one password for everything, no MFA, and a Windows 7 machine still running somewhere in the back office.

When attackers want to get into a business, they often go through vendors because:

• Vendors have legitimate access to customer systems
• Vendor security is often weaker than enterprise targets
• One vendor compromise can lead to dozens of customer compromises
• SMBs often trust vendors more than they'd trust a random email

What can go wrong

The IT vendor backdoor: Your IT company has remote access to your network to manage updates and support. If their systems get compromised, attackers can walk through that connection into your network. This happened to hundreds of MSP clients in the Kaseya ransomware attack in 2021.

The software vendor breach: The scheduling app you use for customer appointments gets breached. Your customer names, emails, and appointment history are exposed. Your customers get phishing emails a month later that reference their appointments.

The payment processor incident: A vendor processing your credit card payments gets breached. Card numbers may be exposed. You're now dealing with PCI-DSS compliance issues and potential liability.

The phishing vendor list: Attackers compromise one vendor and get their entire customer list. Now they send targeted phishing emails to all of your customers, impersonating your business, because they know what services you use.

The supply chain compromise: Attackers compromise a software vendor and push malicious updates to all their customers. This is what happened with SolarWinds—thousands of companies got backdoored through a single software update.

What it costs

• Incident response through a vendor breach: $10,000 to $100,000 depending on scope and regulatory requirements
• Notification costs: If your customer data is involved, $10-$50 per record for breach notification letters
• Business interruption: If a vendor you depend on goes down or locks you out during their incident, you're without service for days or weeks
• Regulatory fines: Industries like healthcare, finance, and retail face specific requirements for vendor security
• Reputational damage: "We were breached through our vendor" is a rough message to send customers

Vendor questions (copy/paste)

"What security controls do you have in place to protect access to our data and systems? Do you use MFA? What's your password policy?"

"Do you have a documented security incident response plan, and have you tested it? What would you do if you got breached?"

"Can we talk to your last three customers about their experience with your security and any incidents?"

"What access do you need to our systems, and why? How do you control who on your team has access to our data?"

"How quickly would you notify us if you had a security breach that involved our data?"

"Do you have cyber insurance? What coverage do you carry?"

"What happens to our data if you go out of business or we terminate the relationship? Do you have a data destruction process?"

Minimum viable implementation

1. Inventory your vendors and their access. Make a list: who has what kind of access to your systems, your data, your network? Include accounting software, payroll providers, IT support, POS systems, phone systems, and anyone who connects remotely.

2. Ask the security questions above. You don't need a formal audit for most vendors—just ask. If they can't answer basic questions about their security practices, that's information.

3. Require MFA for vendor access to your systems whenever possible. If your IT vendor is connecting to your network, they should be using MFA on their end too.

4. Limit vendor access to only what's necessary. Does the company doing your website updates really need access to your accounting system? Probably not.

5. Review vendor access quarterly. Who still needs access? Who left? Remove old accounts and connections when projects end.

6. Know your vendor's incident response process. If they get breached, how will you find out? What will they do? Do they even have a plan?

7. Have a backup plan for critical vendors. If your point-of-sale vendor goes down, can you still operate? If your IT vendor gets ransomware, how do you recover?

When to hire help

Call someone today if:

• One of your vendors just announced a breach and you don't know what data of yours might be involved
• A vendor contacted you saying they need remote access to your systems urgently and it feels wrong

Call someone this week if:

• You need help inventorying vendor access and understanding what each vendor can actually reach
• You want to draft vendor security requirements for new contracts
• You need a process for offboarding vendors and removing their access when relationships end

You can probably handle it yourself if:

• You have a small number of vendors and know what access each one has
• You're comfortable asking vendors basic security questions before signing contracts
• You already have a process for removing access when vendors leave

Your security is only as good as your least-secure vendor. You don't need to audit everyone, but you need to know who has access to what and have a plan when something goes wrong.