Security

The vendor risk question nobody asks

Editorial Team November 23, 2024 · 1 min read

Most vendor risk management is a checkbox exercise. The vendor sends a SOC 2 report, the buyer files it, and everyone moves on. The report is not the question.

The question

"What is the blast radius if you are compromised?" In other words, what data of mine do you hold, what access to my systems do you have, and what would an attacker do with the worst-case combination of both?

Why this matters

The biggest breaches of the last decade involved third parties. The customer's defenses were fine. The vendor was the entry point.

What to do with the answer

  • Limit standing access. If a vendor only needs access during certain operations, give it to them then.
  • Segment vendor connections at the network level.
  • Audit logs from vendor activity, ideally piped into your SIEM.
  • Have an exit plan. What does it look like to cut a vendor off in a hurry?
Tagged Cybersecurity Procurement Best Practices
— Keep reading

Related posts.

Security
April 28, 2026 · 1 min read

Why every small business needs a security baseline (and what that actually means)

The phrase "we are too small to be a target" is the most expensive sentence in IT. Here is what a real baseline looks like, in plain language, with the steps you can take this week.

Editorial Team
Security
April 7, 2026 · 1 min read

Phishing that actually works in 2026: what your team should know

The phishing techniques that actually work right now and the five-second checks anyone in your organization can do to spot them.

Alebrije Admin
Security
March 3, 2026 · 1 min read

Microsoft 365 hardening: the seven settings most tenants get wrong

Default Microsoft 365 settings are not a security baseline. Seven specific changes that take an afternoon and meaningfully reduce risk.

Alebrije Admin