It wasn’t your system. It wasn’t your team. It was a long-standing supplier with legitimate access and a signed agreement. Yet somehow, your business is the one left to handle the fallout, breach notifications, regulatory scrutiny and a board demanding answers.
This is no longer hypothetical. The MOVEit supply chain breach in 2023 compromised over 2,000 organisations and impacted more than 60 million individuals, with downstream effects across finance, healthcare and public services. Most of those victims weren’t directly attacked, they were collateral damage.
And the pace isn’t slowing. Among UK organisations hit by cyber attacks in the past year, 40% reported experiencing incidents monthly. The threat landscape isn’t defined by who you are, but by who you’re connected to.
Despite this, many businesses continue to treat third-party vendors as if they exist outside the perimeter. Contracts are signed, due diligence is filed away, and responsibility quietly handed off to procurement. That gap, between perceived control and actual exposure, is exactly where attackers operate.
In this article, we’ll explain why third party vendor risk management must be treated as a core security function, not a compliance formality. You’ll learn where assumptions break down, what enforceable vendor oversight looks like and how to close the gap between legal agreement and operational security, before trust becomes your next breach.
Many businesses still believe a signed contract or a security certificate is enough to protect them. That belief is costing them millions. High-profile breaches over the past two years have exposed one clear truth: vendors are often the weakest part of the security chain and trusting them blindly leaves the door wide open.
In the case of the MOVEit breach, attackers exploited a single vulnerability in Progress Software’s file transfer tool. The impact was immediate and widespread, compromising thousands of organisations and exposing sensitive data across financial services, healthcare and government agencies. Every one of those organisations had assumed the software was safe to use. It wasn’t.
The real risk comes from the gap between contract signing and real-world oversight. Too often, vendors are onboarded with a one-time risk assessment, followed by years of unchecked access. Businesses assume that compliance with ISO 27001 or Cyber Essentials means the vendor is secure, but these frameworks provide a baseline, not a guarantee.
As we mentioned in our article on Supply Chain Attacks, the most damaging supply chain attacks boil down to a simple miscalculation: businesses assumed their vendors were secure.
They weren’t. And that is the assumption that undermines every investment made in internal defences, because it ignores the interconnected nature of digital risk.
Third party vendor risk management must begin with the mindset that every external relationship is a potential point of failure. Otherwise, you are building your security strategy on someone else’s promises.
Most vendor assessments are designed to tick boxes but not reduce risk. But today’s threat landscape demands more than a completed questionnaire or a copy of a compliance certificate. A modern approach to third party vendor risk management means treating supplier oversight as a living process - monitoring, re-evaluating and enforcing security in real time.
Static assessments fail to keep pace with evolving attack patterns or internal changes within the vendor. Continuous oversight is now essential. As Panorays puts it, “a one-time static assessment of third-party risk is no longer sufficient. Continuous risk monitoring is vital to identify and mitigate cybersecurity risks and maintain compliance”.
The first step is establishing a dynamic risk profile for each supplier. That means considering what systems or data they can access, what business functions they support, and whether they’ve suffered any past breaches. It also means assigning each vendor a risk tier - high, medium or low - based on impact. This helps focus resources where the risk is greatest. According to Mitratech, using third-party tiering helps businesses “minimise risks and enhance overall operational stability”.
A structured vendor risk assessment process helps standardise this across the organisation. This should be updated regularly and include key fields such as:
Templates can help simplify the process across departments. Zluri’s guidance notes that a well-designed assessment template “ensures a thorough evaluation process that helps mitigate potential threats and aligns with your organisation’s overall risk management goals”.
Risk assessments aren’t just a formality. They are the foundation of knowing where your exposure lies, which vendors require the most scrutiny and how to respond when something changes.
If your vendor agreements focus solely on pricing and service delivery, you’re missing the clauses that matter most. Contracts are often treated as a box-ticking exercise, but when a breach occurs, they become your first line of defence, or your biggest liability.
Too many contracts lack clear language around breach notification, security responsibilities or compliance expectations. As one CISO put it, “I’ve reviewed contracts with no language around incident response, breach notification, or security performance. That’s a liability. Every agreement should spell out expectations for cybersecurity, not just service delivery”.
The basics are often overlooked. Agreements should clearly define the time frame in which a vendor must report a breach, typically 24 to 72 hours.
They should include expectations around multi-factor authentication, encryption, access control and data segregation. If a vendor uses subcontractors, that must be disclosed, along with how those relationships are governed.
Security provisions also need to be non-negotiable. As the Federal Trade Commission advises, “include provisions for security in your vendor contracts, like a plan to evaluate and update security controls, since threats change”. These controls must be reviewed regularly, not assumed to remain effective over time.
The consequences of vague or missing clauses can be severe. In one recent case, a company was fined £1.6 million for failing to meet its regulatory obligations around third-party data handling, a direct result of insufficient contract language and oversight.
Vendor contracts should not be written for convenience. They should be written for accountability. If you can’t enforce the security terms in the agreement, they’re not protecting you - they’re protecting your supplier.
Most third-party risk failures don’t happen because businesses choose the wrong supplier. They happen because no one was actively monitoring what that supplier was doing after the contract was signed. Procurement may initiate the relationship, but they’re rarely equipped to manage evolving cyber threats.
John Bree, a recognised expert in third-party risk management, put it plainly: “Procurement cannot monitor all of the different relationships – it’s not effective. It should be the relationship owner, the one who owns the risk, who does that”.
Vendor oversight needs to shift from static checklists to live monitoring, which includes tracking security posture changes, breach alerts, threat intelligence and credential exposure events.
Many businesses now use risk-tiering models to guide this process. As Bitsight explains, thresholds can be set “for alerts when high-criticality third parties experience a drop of any kind”.
But technology alone isn’t enough. It’s the visibility and responsiveness that make the difference. Aztech IT offers a variety of managed services that combine proactive risk assessments, tiered oversight and 24/7 threat monitoring, giving clients the ability to respond before attackers exploit the gap.
Third party risk management is not a procurement responsibility. It’s a business continuity function. And if no one is watching, you're not managing risk, you’re accumulating it.
Not every vendor relationship is worth saving. If a supplier introduces repeated risk, ignores agreed security obligations or fails to respond during a critical incident, it’s time to act. Keeping a high-risk vendor in place doesn’t just create exposure; it shows regulators and stakeholders that you’re willing to accept it.
The consequences of inaction are real. According to a 2025 study, 47% of organisations that experienced a third-party breach ended the relationship with the supplier involved. Termination becomes the only viable option when vendors fail to cooperate, fall behind on patching or demonstrate consistent non-compliance.
Still, there are times when collaboration is possible, especially when the vendor plays a critical operational role. Panorays recommends engaging vendors to resolve issues early, noting that “it’s often more productive to collaborate on resolving issues, especially when the vendor plays a critical role in your operations”.
Mitigation strategies may include temporary access restrictions, segmented network environments or shifting permissions to read-only access while issues are being resolved. But these are short-term fixes, not long-term solutions.
Every business should have clear escalation thresholds:
If your vendor risk strategy doesn’t include an exit plan, it isn’t complete. The goal isn’t to offboard every supplier that stumbles, but to know when to stop taking chances.
Don't wait for a breach to take control of the situation.
Supply chain attacks aren’t rare, isolated or limited to large enterprises. They’re happening across every sector and every business size - and they’re accelerating. The question isn’t whether one of your vendors will be compromised. It’s whether you’ll know before the damage reaches you.
Third party vendor risk management isn’t just about ticking compliance boxes. It’s about protecting your business from failures you don’t directly control. Assumptions, static contracts and outdated assessment forms won’t hold up under pressure.
To take control, you need to:
Aztech IT helps businesses close these gaps with proactive risk assessments, contract alignment, real-time monitoring and expert-led response plans. If you’re relying on trust instead of evidence, or if your vendors haven’t been reassessed in the past 12 months, now is the time to act.
Book a consultation with Aztech IT today and start assessing your third party risks before trust becomes your weakest link.