Understanding Third-Party Cybersecurity Risks: A growing threat

In today's highly interconnected digital world, organisations frequently rely on external partners—such as vendors, suppliers, contractors, and service providers—to deliver essential services and software. While this interconnectedness significantly boosts efficiency and innovation, it also exposes companies to substantial cybersecurity risks that originate beyond their direct control. These third-party cybersecurity risks are among the most critical and rapidly evolving concerns in the modern threat landscape.

What Are Third-Party Cybersecurity Risks?

Third-party cybersecurity risks refer to potential security vulnerabilities that arise from an organisation's external partners. These third parties often require access to your sensitive systems or data. Consequently, any security breach or weakness on their end can create a direct pathway for attackers to infiltrate your own organisation.

Third-party cybersecurity risks refer to potential security vulnerabilities that arise from an organisation's external partners.

Common examples of how these risks manifest include:

• Software Supply Chain Attacks: Where attackers compromise software updates or components provided by a third party (e.g., the SolarWinds attack).
• Data Breaches via Vendors: Occurring when a vendor with inadequate security protocols experiences a breach, leading to the exposure of your data.
• Credential Theft: Attackers gaining access to your systems through compromised credentials stolen from third-party portals or systems.
• Phishing and Social Engineering: Attacks specifically targeting third-party relationships to trick employees or gain unauthorised access.

Key Sources of Third-Party Risk

Understanding where these risks come from is crucial for effective management:

1. Lack of Visibility and Control: Organisations often have limited insight into the actual cybersecurity practices of their third-party partners. This makes it challenging to enforce consistent security standards or monitor compliance effectively.
2. Insufficient Vetting and Due Diligence: Rushed partnerships or incomplete security assessments can lead to working with vendors who have weak, outdated, or non-compliant security measures.
3. Overly Permissive Access: Third parties sometimes receive more access to internal systems and data than is strictly necessary for their role. This significantly increases the potential damage if their credentials are compromised.
4. Inconsistent Security Standards: Different organisations may adhere to varying cybersecurity frameworks and levels of maturity. This can lead to gaps in overall protection and communication breakdowns when security incidents occur.

Understanding where these potential risks come from is crucial for effective third party risk management.

High-Profile Examples of Third-Party Breaches

Recent incidents highlight the widespread impact of third-party cybersecurity risks:

1. Marks & Spencer (M&S) Cyberattack (April 2025): M&S suffered a cyberattack attributed to the "Scattered Spider" group. The attackers exploited social engineering tactics through a third-party supplier, resulting in the theft of customer information and significant operational disruptions. The incident reportedly led to an estimated £300 million profit loss and a £750 million drop in market value.
2. Co-op Supermarket Breach (Recent): Co-op experienced a cyberattack that disrupted operations for two weeks. The attack impacted stock levels, customer data, and payment systems, including taking contactless payments offline in nearly 10% of stores. This breach was linked to vulnerabilities in third-party systems.
3. British Library Ransomware Attack (October 2023): The British Library was targeted by the Rhyzida ransomware group. Access was likely gained through compromised credentials of third-party contractors. Approximately 600GB of data was stolen and leaked online, leading to extensive service disruptions and recovery costs estimated at £6–7 million.
4. Ministry of Defence (MoD) Data Breach (May 2024): The MoD's payroll system, managed by an external contractor, was hacked. This breach exposed names and bank details of armed forces personnel, starkly highlighting the risks associated with outsourcing critical services.
5. Transport for London (TfL) Cybersecurity Incident (September 2024): TfL reported a cybersecurity incident that exposed personal and financial data of approximately 5,000 customers. The breach was linked to vulnerabilities in systems handling Oyster refund data, underscoring the importance of securing all third-party systems.

Mitigating Third-Party Cybersecurity Risks

Organisations can take several proactive steps to effectively manage and reduce third-party risks:

1. Comprehensive Vendor Risk Assessments: Conduct thorough evaluations of potential third-party providers before onboarding them. This should include assessing their security posture, compliance certifications, and incident response capabilities.
2. Strong Contractual Security Requirements: Include specific, clear security expectations, detailed breach notification timelines, and compliance obligations directly within all contracts with third parties.
3. Principle of Least Privilege Access: Strictly limit third-party access only to the specific data and systems absolutely necessary for them to perform their role. Regularly review and revoke access when no longer needed.
4. Continuous Monitoring: Implement tools and practices for ongoing oversight of third-party activities. This includes real-time monitoring for unusual behavior, security alerts, and compliance deviations.
5. Integrated Incident Response: Ensure that third parties are fully integrated into your organisation's incident response plans and communication protocols. Establish clear roles and responsibilities for managing a breach involving a third party.

Conclusion

Third-party cybersecurity risks are an unavoidable reality in modern business ecosystems. As cyber threats become increasingly sophisticated, organisations must move beyond one-time assessments and adopt a proactive, continuous, and lifecycle-based approach to third-party risk management. By doing so, they can significantly better protect their systems, data, and reputation from vulnerabilities that lie outside their direct control.

Organisations must move beyond one-time assessments and adopt a proactive, continuous, and lifecycle-based approach to third-party risk management.

About Projective Group

Established in 2006, Projective Group is a leading Financial Services change specialist.

We are recognised within the industry as a complete solutions provider, partnering with clients in Financial Services to provide resolutions that are both holistic and pragmatic.  We have evolved to become a trusted partner for companies that want to thrive and prosper in an ever-changing Financial Services landscape.