Third-party cybersecurity failures are now an enterprise level threat

By Michael Lazenby

As cyber threats continue to evolve, third-party cybersecurity has become one of the most substantial areas of risk for organisations globally. Increasing reliance on suppliers, vendors, partners and service providers has expanded digital ecosystems making organisations more exposed to security vulnerabilities originating outside of their direct control.

Third-party cybersecurity refers to the safeguards and controls organisations implement to protect their systems and data when engaging with external entities. Recent examples and research highlights that this area has become a high‑volume attack vector, with threat actors increasingly targeting vendors as a means of infiltrating multiple organisations at once.

Insights from the Black Kite Third Party Breach Report 2026 reveal the scale of the issue. For every vendor breach, an average of more than five downstream organisations are compromised. Notably, several of the largest data breaches in 2025 and early 2026 were traced back to third-party suppliers and software providers rather than direct cyberattacks on the affected organisations themselves.

The human impact of these incidents is equally concerning. Publicly disclosed third‑party breaches have affected approximately 433 million people. Due to underreporting by organisations, it is likely this figure understates the true extent of the problem.

In today’s deeply interconnected business environment, an organisation’s cybersecurity posture is only as strong as that of its weakest third party. A single vendor with inadequate controls can become a gateway for data breaches, ransomware attacks and operational disruption, placing full accountability on the organisation that entrusted them with access to sensitive systems or data.

Key risks associated with third-party relationships include legal and regulatory exposure under legislation such as the POPI Act, reputational damage, operational downtime and direct financial losses resulting from unauthorised access to sensitive information.

To mitigate these risks, organisations are encouraged to adopt best‑practice approaches to third‑party risk management. These include structured vendor risk assessments based on access levels, continuous monitoring of vendor compliance, and the enforcement of cybersecurity policies and frameworks that align third-parties with internal security standards. Leveraging established frameworks such as the NIST Cybersecurity Framework provides a consistent and proven approach to identifying, managing and reducing risk.

In addition, organisations are urged to develop and maintain incident response plans that explicitly include third-party vendors, ensuring rapid detection, coordination and recovery in the event of a breach.

As cyber threats continue to increase in sophistication and frequency, strengthening third‑party cybersecurity practices is no longer optional. By simplifying alignment for vendors and maintaining continuous oversight, organisations can enhance their resilience, protect sensitive data and foster stronger, more trusted partnerships across their supply chains.