NIS 2

Third-Party Risk Management: Why Your Vendors Are Your Biggest Cyber Threat

5 November 2025 8 min read
Abstract visualisation of interconnected vendor networks representing third-party cyber risk in a supply chain

The Trojan Horse Already Inside Your Network

Third-party risk management remains the overlooked danger for most organisations. They invest heavily in firewalls and internal defences, but the biggest threats often come from the vendors, contractors, and partners they have already let in.

These suppliers do not need to break through your security perimeter — you have already given them access. Today, your organisation is embedded in a complex web of third-party relationships, and your security is only as strong as theirs. Your network boundary is no longer just your own infrastructure; it is the combined security posture of your entire supply chain.

Attackers know this. It is far easier to compromise a smaller, less-secure partner than to attack a well-defended target directly. The SolarWinds attack demonstrated this at scale, but the problem is accelerating. Vendor-related breaches nearly doubled in 2025, now accounting for 30% of all incidents. Granting vendors access without strong oversight is equivalent to handing them a key to your front door.

Critical Question: If your most essential supplier went offline tomorrow due to a breach, would your business still be standing?

2025 Supply Chain Attacks: Four Key Lessons

1. Jaguar Land Rover — Vendor Credentials That Halted Production

In 2025, JLR suffered a major cyberattack that forced production shutdowns across its UK and global factories. The attackers did not breach JLR directly — they used compromised credentials from a third-party contractor: specifically Jira and VPN access that had not been removed during vendor offboarding.

Once inside, the attackers moved laterally from IT systems into JLR’s Operational Technology (OT) and manufacturing systems, halting production lines. Some of the compromised credentials dated back to 2021 and had never been deprovisioned.

Critical Failures:

  • Stale credentials: Vendor accounts from 2021 remained active in 2025.
  • Lack of segmentation: IT and OT networks were interconnected, allowing lateral movement from vendor access points into production control systems.
  • Inadequate access reviews: Vendor accounts had not been included in regular review cycles.
  • Supply chain cascade: The shutdown impacted thousands of tier-1 and tier-2 suppliers, causing widespread economic damage.

Key Actions: Audit and immediately revoke all legacy vendor accounts. Enforce least-privilege and time-limited access. Segment vendor networks from production systems.

2. Air France–KLM — The “Low-Risk” Vendor That Opened the Door

In July 2025, Air France and KLM disclosed a data breach via a third-party contact centre platform. Attackers accessed customer names, contact details, and loyalty programme membership information.

While passport numbers and payment cards were not compromised, the stolen data provided everything needed to launch convincing targeted phishing campaigns — names, email addresses, and membership status created a perfect social engineering profile.

Key Lesson: Even seemingly non-critical vendors can pose critical risk. Any vendor with customer-facing access — even for data classified as low-sensitivity — creates reputational risk and enables secondary attacks. Risk classification cannot be based solely on data sensitivity.

3. Marks & Spencer — The £300 Million Help Desk Incident

In April 2025, M&S experienced a significant cyber incident traced to a third-party IT help-desk provider. The breach disrupted online orders, contactless payments, and supply-chain fulfilment, resulting in an estimated £300 million profit impact.

Outsourced IT service providers often hold privileged credentials across multiple critical systems in order to perform their support functions, making them highly attractive targets for attackers seeking broad access to an organisation’s environment.

Key Lesson: Outsourced providers often hold the “keys to the kingdom.” Enforce privileged-access reviews, strong MFA, and contractual accountability for all third-party providers with elevated access rights.

4. Volvo Group HR Vendor — The Multiplier Effect

In August 2025, an HR services vendor serving Volvo Group and approximately 200 Swedish municipalities was hit with ransomware. This single breach exposed approximately 870,000 employee records across 25 private companies and 200 municipalities simultaneously.

When one vendor serves hundreds of clients, compromising that vendor becomes a force multiplier. A single successful breach cascades into hundreds of victim organisations.

Key Lesson: Vendor concentration risk is tangible. Organisations must map not only their direct (tier-1) suppliers but also their tier-2 and tier-3 dependencies, particularly where shared service providers are involved.

The Numbers Don’t Lie: Supply Chain Risk Is Accelerating

The four cases above are not anomalies — they reflect a structural shift in how attackers target organisations. The data across multiple 2025 industry reports tells a consistent story.

100%
Increase in supply chain attacks since April 2025, averaging 25 incidents per month vs. 13 in early 2024 (Cyble)
30–35%
Of all data breaches now involve third-party participation, up from 29% in 2023 (Verizon DBIR 2025)
$4.91M
Average cost of a supply chain breach — the second-costliest attack category (IBM Cost of a Data Breach 2025)
45%
Of organisations forecast to experience a supply chain breach by end of 2025 — a 3× increase from 2021 (Gartner)

There is also a striking compliance gap: 95% of organisations reported red flags related to third-party vendors in the past year, yet only half escalated those concerns to their compliance teams.

Building a Resilient TPRM Programme

An effective third-party risk management framework weaves governance, technical controls, and continuous assurance together. The five core pillars are as follows.

1. Vendor Selection and Due Diligence

Before onboarding any supplier, conduct a security assessment proportionate to their potential impact. Review certifications (ISO 27001, SOC 2), assess their incident history, and evaluate their own third-party dependencies — including tier-2 and tier-3 exposure.

Classify vendors by criticality based on data access, system access, and business impact. Apply proportional due diligence to each tier. Do not assume low-value vendors are low-risk; assess the breadth of access they require and the downstream consequences if that access is compromised.

2. Contractual Controls and SLAs

Contracts with critical vendors should include:

  • Minimum security controls — encryption standards, MFA requirements, patching cadence.
  • Audit rights — the right to assess vendor security controls and compliance posture.
  • Incident notification — a mandatory reporting window for security incidents (24–72 hours is the accepted standard).
  • Sub-contractor obligations — vendors must cascade security requirements to their own suppliers.
  • Right to terminate — breach-triggered termination clauses.
  • Insurance requirements — appropriate cyber liability coverage.

Service Level Agreements should define uptime requirements, recovery time objectives (RTOs), and recovery point objectives (RPOs) for critical functions.

3. Access Control and Least Privilege

Grant vendors only the minimum access required for their specific function, and enforce time-bound accounts with defined expiration dates. All vendor access should require multi-factor authentication, and activity should be logged and monitored continuously.

Segment vendor networks from production environments wherever possible — the JLR incident was enabled precisely by the absence of this boundary. Conduct quarterly access reviews for high-risk vendors and deprovision accounts immediately upon contract termination or personnel change.

4. Continuous Monitoring and Reassessment

Third-party risk is not a point-in-time activity. Track vendor security posture on an ongoing basis: monitor for breach disclosures, review sub-processor changes, and use threat intelligence platforms to identify compromised vendor credentials before they are exploited.

Conduct annual comprehensive reviews for critical vendors, with quarterly reviews for high-risk tier-1 suppliers. Where appropriate, commission independent penetration testing or review independent audit reports (SOC 2 Type II reports, ISO certification scope statements).

5. Incident Response and Business Continuity

Develop specific incident response playbooks for vendor breach scenarios. Include suppliers in tabletop exercises and drills so that escalation paths and communication protocols are tested before they are needed under pressure.

Map critical vendor dependencies as part of your business continuity and disaster recovery planning. Identify single points of failure, develop contingency options for critical functions, and maintain offline backups that do not depend on vendor availability.

Alignment with Regulatory Frameworks

ISO 27001:2022

ISO/IEC 27001:2022 introduced dedicated controls for supplier security in Annex A:

  • A.5.19 — Information Security in Supplier Relationships
  • A.5.20 — Addressing Information Security within Supplier Agreements
  • A.5.21 — Managing Information Security in the ICT Supply Chain
  • A.8.30 — Security requirements for outsourced functions, including controls and monitoring

NIS 2 Directive

The NIS 2 Directive makes supply chain security a formal obligation for essential and important entities. Organisations in scope must implement security measures that explicitly address supply chain vulnerabilities, include third-party risk in their mandatory cybersecurity risk assessments, and report incidents that originate from or affect their supply chain.

NIS 2 significantly expands the scope of organisations required to implement these controls, covering critical infrastructure, digital services, manufacturing, and many other sectors.

DORA

The Digital Operational Resilience Act imposes the most comprehensive third-party ICT risk requirements currently in force globally. Financial entities must maintain a register of all ICT third-party service providers classified by criticality, meet detailed contractual requirements for those providers, and develop explicit exit strategies for critical third-party relationships. Regulators will directly supervise critical ICT third-party providers.

Conclusion: You Cannot Outsource the Risk

Third-party risk is no longer a peripheral concern — it is central to your organisation’s operational survival. The 2025 case studies make the stakes clear: a single weak link in your supply chain can cause devastating operational, financial, and reputational damage.

Effective TPRM requires more than an annual questionnaire and a contract clause. It demands a risk-tiered, continuously monitored programme aligned with the regulatory frameworks your organisation operates under. The organisations that treat vendor security as a continuous operational discipline — rather than a periodic compliance exercise — are the ones that avoid becoming the next case study.

Need help with NIS 2?

Talk to one of our experts about your situation. We'll give you an honest assessment of what's involved and how we can help.

Speak to an Expert

Speak to an Expert

We'll get back to you within one business day.

We respect your privacy. No spam, ever.