.svg)
Key Takeaways
- More suppliers equal more risk. The attack surface expands with every new vendor that can access your system.
- Managing third-party risk requires extending your culture of security beyond your internal employees.
- Consolidating vendors in an integrated facility service model also leads to better business performance.
Transcript
Organizations no longer operate within clearly defined perimeters. Instead, they function as dynamic networks of partners, vendors, and service providers, all of which are deeply integrated into core systems and operations.
The number of suppliers has expanded exponentially in recent years. One survey found that the average small and medium-sized business has nine times more suppliers than it has employees; however it only uses one quarter of these.
As a result, cybersecurity is no longer just an internal concern; it is a shared responsibility across the entire supplier ecosystem.
This shift demands a fundamental rethink of how organizations approach third-party risk. Suppliers are no longer peripheral. When they connect to systems, process payments, or handle sensitive data, they effectively become part of the organization’s digital infrastructure.
And, when a quarter of suppliers are not even active, the risk of leaving these connections in place rises.
The expanding attack surface
Attackers increasingly exploit supplier relationships as a point of entry, targeting less mature vendors to gain access to larger enterprises. Almost 70% of organizations experienced at least one material third party cyber incident in the past year, with supply chain attack volume surging more than 400% since 2021.
"Third parties often have privileged access to sensitive systems and data, making them prime targets for cyber threats and potential sources of vulnerabilities if not properly vetted," said Emi Kustal, Director, IT Risk & Compliance at ABM.
Supplier ecosystems are not just a risk to be managed, but a domain to be governed continuously. Traditional approaches, such as one-time vendor assessments during procurement, are no longer sufficient. Instead, organizations must adopt a lifecycle approach that embeds security into every stage of the supplier relationship—from onboarding to ongoing monitoring and eventual offboarding.
From due diligence to continuous governance
To secure the supplier ecosystem, organizations must move beyond static compliance checklists and toward dynamic, risk-based governance.
This starts with rigorous vetting before contracts are signed. Organizations must clearly define security expectations, ensure they are contractually enforceable, and align them to recognized frameworks such as NIST or ISO standards.
Diligence at onboarding is only the beginning. Cyber threats do not remain static, and neither should supplier oversight. Organizations that implement real-time monitoring gain the ability to detect vulnerabilities early and respond before they escalate into full-scale incidents. Incident response plans, for example, must extend to suppliers and be tested in realistic scenarios. When a breach occurs, coordination across partners becomes the defining factor in containment and recovery.
Organizations must recognize that supplier risk is not limited to digital systems. As physical environments become increasingly connected through smart buildings, IoT devices, and operational technologies, the definition of the attack surface expands further. Stacy Hughes, SVP and CISO at ABM, warns that physical security is an often ignored area that impacts digital security. Facilities, payment systems, and operational processes all intersect with supplier relationships, making cross-functional governance essential.
Turning risk into a competitive advantage
Organizations that take a proactive approach to securing their supplier ecosystems can turn a vulnerability into a strategic differentiator.
But it’s not just about taking the right security measures. Streamlining your supplier ecosystem cuts risk dramatically. Start by reviewing and updating your user access policies. Suppliers that aren’t active shouldn’t have access to your systems.
There’s also a strong business case for consolidating active vendors in one agreement. The self-performing workforce model, in which facility, engineering, and infrastructure is unified under one partnership, can significantly reduce third-party security risk. Plus, integrated facility services eliminates fragmented vendor coordination, strengthens operational resilience, and reduces costs.
Strong third-party risk management builds trust with customers, regulators, and partners alike. It enables faster, more confident collaboration and reduces the likelihood of costly disruptions.
Ultimately, securing the supplier ecosystem is not about eliminating risk, but mastering it. Organizations that embrace continuous governance, invest in partner relationships, and embed resilience across their extended enterprise will be better positioned to navigate an increasingly complex threat landscape.
