The most significant cybersecurity incidents of the past several years have had one thing in common: they did not start with a direct attack on the organisation that suffered the damage. They started with a supplier. SolarWinds. Kaseya. The Log4Shell vulnerability exploited through third-party components. MOVEit. The pattern is consistent and the lesson is clear: your attack surface includes every supplier with a connection to your systems, every software component in your technology stack, and every third party that handles your data.

Most organisations manage IT security as if their perimeter is the boundary of their direct control. It is not. Your security is only as strong as the weakest supplier with access to your environment.

The Scale of the Problem

Modern technology environments are built on layers of third-party dependency. The average enterprise uses hundreds of SaaS applications, many of which have access to corporate data. Managed service providers have privileged access to infrastructure. Software development relies on hundreds of open-source components and third-party libraries. Cloud providers host data and workloads. Each of these relationships creates a potential attack vector.

GDPR made third-party risk a compliance obligation for data processing relationships — controllers must ensure that processors have adequate technical and organisational security measures in place, and must have data processing agreements in place that specify security requirements. But third-party risk extends well beyond GDPR-regulated data processing. Any supplier with access to your systems, data, or infrastructure represents a risk that your IT GRC programme must address.

What Third-Party Risk Management Actually Requires

A functional third-party risk management programme involves four activities:

Supplier inventory and tiering. You cannot manage risks you have not identified. A third-party risk programme starts with a complete inventory of suppliers with IT-relevant relationships — including SaaS applications, managed service providers, cloud providers, software vendors, and any supplier with access to your data. Tiering assigns each supplier to a risk category based on the nature and extent of the access or processing relationship, driving proportionate due diligence.

Due diligence at onboarding. Before a new supplier relationship is established — or before an existing relationship is expanded — due diligence appropriate to the risk tier should be conducted. For high-risk suppliers (those with privileged access or significant data processing), this means reviewing security certifications, assessing their security controls, and establishing contractual security requirements. For lower-risk suppliers, lighter-touch questionnaire-based assessment may be appropriate.

Ongoing monitoring. Third-party risk is not static. A supplier that had a strong security posture at onboarding may experience deterioration — a security incident, a failed certification audit, a significant change in their technology environment. Ongoing monitoring — at minimum, annual reassessment of high-risk suppliers — maintains visibility of changing risk profiles.

Contractual protections. Contractual requirements do not eliminate third-party risk, but they establish clear expectations and provide remedies if those expectations are not met. Security requirements in supplier contracts should cover: notification obligations in the event of a security incident, right to audit or assess security controls, requirements to maintain relevant certifications, and requirements to notify of significant changes to their security posture.

At Bitsecura, we design and implement third-party risk management programmes as part of broader IT GRC engagements. If third-party risk is a gap in your governance programme — and it is for most organisations — we can help you build a process that is proportionate to your supplier landscape and actually manages the risk. Talk to us here.


Bitsecura provides IT GRC programme design and implementation services. Learn more about our IT GRC services.