KC
Kapacyber
Risk Management7 min read

Third-Party Risk: Why Your Vendors Could Be Your Biggest Security Blind Spot

You can do everything right internally and still suffer a major breach — because a vendor you trust gets compromised. Here's how to manage the risk you can't see.

Kapacyber

Security Research Team

The Lesson From CDK Global

In June 2024, BlackSuit ransomware hit CDK Global — the software company that powers the dealer management systems (DMS) for roughly 15,000 auto dealerships across North America. CDK went dark. Dealerships that had done nothing wrong, had nothing to do with the attack, and had no ability to prevent it, suddenly couldn't process sales, access inventory, run payroll, or serve customers — for two to three weeks.

This is third-party risk in its most visible form. CDK was a critical vendor. The dealerships trusted it. When CDK failed, the failure cascaded to every customer downstream.

The CDK attack is not an outlier. Supply chain and third-party attacks have become one of the most common attack patterns because they offer attackers an efficient path: compromise one vendor, access thousands of victims. Industry reports consistently place supply chain attacks among the fastest-growing threat categories.

Why SMBs Underestimate This Risk

Small businesses typically focus on their own security — firewalls, antivirus, password policies — and assume that vendors are handling their own side. In reality:

  • Most vendors have access to your systems, your data, or both
  • Your contracts rarely specify security requirements
  • You rarely know who your vendors sub-contract to
  • You have no visibility into a vendor's actual security posture

Every SaaS tool you use, every IT provider with remote access credentials, every payroll processor that handles your employee data — each one is a potential entry point into your business.

The Regulatory Angle

Third-party risk management isn't just good practice — it's increasingly a compliance requirement. The FTC Safeguards Rule requires auto dealers to assess and oversee service provider arrangements. The NAIC Model Law for insurance agencies requires written vendor contracts with security minimums and vendor due diligence. Even GLBA has vendor oversight requirements built in.

If you're audited after a breach and can't show that you assessed your vendors' security practices, that gap will be used against you.

Building a Vendor Risk Tier System

You can't apply the same scrutiny to every vendor — that's impractical. Instead, tier your vendors by the risk they represent and apply controls proportionate to that tier.

Critical Risk

Who fits here: Has direct access to your systems, stores your customer data, or is required for daily operations.

Examples: IT provider, payroll processor, accounting software, CRM, email provider

What to do: Annual security questionnaire, review their SOC 2 / security certifications, written contract with security requirements, right-to-audit clause.

High Risk

Who fits here: Has limited system access or stores non-critical business data.

Examples: Marketing platform, project management tools, video conferencing, cloud storage

What to do: Review their security practices during onboarding, confirm MFA is available and enabled, check breach history.

Low Risk

Who fits here: No system access, no sensitive data, easily replaceable.

Examples: Website hosting (static), event registration tools, scheduling apps with no data integration

What to do: Basic due diligence at onboarding. Review if they request expanded access or handle new data types.

Eight Questions to Ask Any Critical Vendor

When onboarding a critical vendor — or reviewing an existing one — ask these questions. You don't need a formal security questionnaire for smaller vendors; a conversation or a brief email is fine. What matters is that you're asking, documenting the answers, and factoring them into your decision.

Vendor Due Diligence Questions

  • 1Do you have a SOC 2 Type II report? Can we see it?
  • 2How do you encrypt data at rest and in transit?
  • 3What is your incident notification process if you suffer a breach?
  • 4Do you require MFA for all staff with access to client data?
  • 5How do you manage and vet your own subcontractors?
  • 6What is your business continuity plan? How long is typical recovery?
  • 7Have you experienced any data breaches in the past 3 years?
  • 8Do you have cyber insurance? What coverage limits?

What to Put in Vendor Contracts

For critical vendors, your contract should include security-specific language. At minimum:

  • Security minimums: encryption, MFA, access controls as a contractual requirement
  • Breach notification: vendor must notify you within 24–72 hours of discovering a breach affecting your data
  • Right to audit: you reserve the right to request evidence of security controls
  • Data handling: what data they can access, how long they retain it, how they dispose of it
  • Subcontractor requirements: they must apply equivalent security requirements to anyone they subcontract to

Most small vendors won't push back on these — they've seen them before from larger clients. If a vendor refuses to include basic security language in your agreement, that's a warning sign worth taking seriously.

The Ongoing Work: Monitoring

Vendor risk management isn't a one-time exercise. Vendors change — they get acquired, their security posture shifts, they bring on new subcontractors. At minimum, review your critical vendors annually:

  • Did they have any reported breaches or security incidents?
  • Has their service scope changed — are they now touching more of your data?
  • Is their security certification (SOC 2, ISO 27001) still current?
  • Have their security practices kept up with current threats?

The Bottom Line

Your security posture is only as strong as your weakest vendor. The CDK attack proved that at massive scale, but the same dynamic plays out quietly every week when small businesses suffer breaches through compromised IT providers, payroll systems, and cloud tools.

You can't eliminate third-party risk — but you can manage it. Tier your vendors, ask the right questions, put security requirements in contracts, and review annually. That's what regulators look for, and more importantly, that's what actually reduces your exposure.

Related reading: Lessons from the CDK Global ransomware attack and what to do in the first 24 hours after a breach.

Watch for fourth-party risk

Your vendor's vendors are your problem too. When you ask a critical vendor about their subcontractors, you're assessing fourth-party risk — the suppliers behind your supplier. CDK itself relied on third-party infrastructure that became the attack surface. Always ask vendors how they vet their own supply chain.

Know Your Vendor Risk Exposure?

Our free assessment covers your vendor landscape alongside your internal controls — so you can see the full picture.

Get Free Assessment
← Back to Security Insights