Threatonomics

The vendors you’re probably missing

by Emma McGowan , Senior Writer
Published

Make sure to think outside the box when you're cataloguing your third-party vendors

While the seven data streams from our previous post will capture the majority of your vendor relationships, they’re primarily designed to find digital services and traditional procurement relationships. Today, we’re exploring the vendor categories that fall through the cracks of most discovery programs, as well as why they often represent some of your highest-risk relationships.

Not all third-party risk is digital

Most vendor discovery programs focus exclusively on IT services, missing significant categories of physical and operational vendors that pose real security risks.

“Not as many people are doing third-party risk around suppliers or service providers that may have access to your buildings or other physical assets,” says Chuck Norton, Senior Technical Security Advisor at Resilience. “There are a range of risks that different types of vendors can bring to the table, but many organizations don’t have a mature enough third-party risk management (TPRM) program to identify risks beyond their email provider or security provider.”

Physical access vendors

The following physical access vendors often have unfettered access to your facilities, systems, and data without undergoing the same security assessments as IT service providers:

Security and surveillance companies that monitor your facilities, manage access control systems, and respond to incidents. They often have master keys, alarm codes, and detailed knowledge of your security procedures.

Cleaning and maintenance services that work after hours when fewer employees are present. They have physical access to workspaces, trash containing sensitive documents, and often work unsupervised around computer equipment.

Food service and catering providers who access kitchens, conference rooms, and employee areas. During large events, they may bring temporary staff who haven’t been background checked.

Facilities management vendors who maintain HVAC, electrical, and plumbing systems. They understand your building infrastructure and may have access to network closets and server rooms.

Supply chain and manufacturing partners

For organizations that produce physical products, supply chain vendors represent critical dependencies that extend far beyond IT:

  • Component suppliers whose quality issues or disruptions can halt your production 
  • Logistics and shipping providers who handle your products and have visibility into your supply chains 
  • Contract manufacturers who may have access to your intellectual property and production processes

“If your company makes widgets and that company upstream makes parts for your widgets, you need to consider them as part of your overall enterprise risk, too,” says Norton.

Independent contractors

Independent contractors represent a particularly problematic category that often falls between traditional vendor management and HR processes.

“Independent contractors can present a big risk to your organization because they will often have access to either your physical or data facilities,” Norton says. “However, in my experience, they’re usually not vetted to the same degree as a larger consulting or contracting vendor  as the business relationship is often viewed in a much more casual light.”

Why contractors fall through the cracks

Different payment systems: Contractors are often paid through payroll systems rather than accounts payable, making them invisible to procurement-based discovery methods.

Informal engagement processes: Teams often engage contractors directly without going through formal vendor onboarding, especially for short-term or specialized work.

Unclear ownership: It’s often unclear whether contractors should be managed by HR, procurement, IT, or the engaging business unit.

Temporary access assumptions: Organizations often assume contractor access is temporary and low-risk, even when contractors work on sensitive projects or systems.

High-risk contractor categories

  • IT consultants and developers who may have administrative access to systems and code repositories 
  • Business consultants who access strategic information and financial data 
  • Specialized technicians who service equipment and may have privileged system access
  • Creative and marketing contractors who handle brand assets and customer data

The shadow IT challenge

Shadow IT—technology adopted by business units without IT approval—represents one of the fastest-growing categories of vendor relationships. The proliferation of affordable, easy-to-adopt SaaS tools has made this problem exponentially worse.

The corporate card problem

Norton recalls a particularly striking example of how shadow IT could spiral out of control. At his previous company, any employee with a corporate card could make purchases under $15,000 without triggering a single layer of review. Policies existed, of course. There were third-party risk management programs with vendor questionnaires, catalogues, and formal contract reviews. But in practice, all of that could be bypassed with a single swipe of plastic.

An employee could simply go out, buy new software or hardware, and then call up IT saying, “Hey, the vendor’s here to install our new software. Make it work.” From Norton’s perspective as a security professional, this wasn’t just inconvenient—it was potentially catastrophic. Unknown tools and systems were being introduced into the environment without oversight, opening the door to vulnerabilities no one had accounted for. 

“It had the potential for just blowing the doors off of everything,” he explains. “Because you have no idea what’s going on.”

This scenario is more common than many organizations realize. The combination of:

  • Low-dollar purchase thresholds that bypass approval processes
  • Distributed budget authority across business units
  • Proliferation of affordable SaaS tools
  • Credit card-friendly payment models

…means that vendor relationships are being created faster than traditional discovery methods can track them.

Common shadow IT categories

  • Collaboration tools: Slack alternatives, project management platforms, file sharing services
  • Design and creative tools: Canva, Figma, Adobe Creative Cloud subscriptions 
  • Analytics and BI tools: Tableau, PowerBI, specialized industry analytics platforms
  • Communication tools: Video conferencing, webinar platforms, customer support chat tools
  • Productivity enhancers: Note-taking apps, automation tools like Zapier, password managers

Making compliance attractive

Norton stresses the fact that the solution isn’t just stronger policies, but better design of the processes themselves. 

“If things aren’t convenient enough, people just won’t do it, and that’s what breeds shadow IT,” Norton says. “If you want to avoid things like shadow IT or anybody with a corporate card going out and buying whatever they want, you have to make your policy processes attractive and usable. And that goes for anything within cybersecurity.”

To illustrate, he shares a more positive case. At one organization, new leadership made a deliberate effort to streamline the procurement process, slashing the timeline from six months to just a few weeks. That shift changed the dynamic entirely. Employees no longer felt the need to go around the system; the system was finally working with them. By making legitimate procurement faster and easier, the organization reduced the allure of workarounds, aligning security goals with employee needs.

Fourth-party risk: Your vendors’ vendors

If third-party risk is already daunting, fourth-party risk—understanding who supplies your suppliers—adds yet another layer of complexity that most organizations are only beginning to grapple with. Norton illustrates the challenge with a simple but sobering scenario: imagine relying on a cloud service that, in turn, is hosted on Microsoft. If Microsoft suffers an outage, the impact ripples down to every business built on top of that infrastructure.

“Many organizations are still struggling to wrap their heads around third-party risk—the direct risk posed by their vendors,” Norton explains. “Even fewer are prepared to consider the risk introduced by their vendors’ vendors.” It’s a blind spot that magnifies the interconnectedness of today’s digital supply chains and underscores just how difficult it is to map risk beyond the first degree of separation.

Why fourth-party risk matters

Concentration risk: Multiple vendors might depend on the same underlying infrastructure provider, creating single points of failure you didn’t realize existed.

Cascading failures: Outages or security incidents at major infrastructure providers can affect hundreds of downstream services simultaneously.

Data location and sovereignty: Your vendor might store data with a fourth party in a jurisdiction you hadn’t considered.

Compliance gaps: Your vendor might delegate critical functions to fourth parties that don’t meet your compliance requirements.

Mapping fourth-party relationships

Contractual transparency: Require vendors to maintain and publish subprocessor lists with advance notification of changes. Include specific requirements for:

  • Legal entity names and primary business functions
  • Geographic locations where data might be processed
  • Change notification timelines (typically 30 days minimum)
  • Right to object to subprocessor changes

Technical discovery: Use SaaS Security Posture Management (SSPM) tools to enumerate connected applications within major SaaS platforms. A single Salesforce instance might have dozens of connected third-party apps, each representing a fourth-party relationship.

Software Bill of Materials (SBOM): For software vendors, require SBOM documentation that reveals the components and dependencies that comprise their applications.

External intelligence: Leverage status pages, incident reports, and breach notifications to understand concentration risks and cascading dependencies.

Discovery strategies for overlooked vendors

Physical vendor discovery

  • Facility management systems: Extract vendor lists from building management, keycard access systems, and visitor management platforms.
  • Facility contracts and insurance: Review property management agreements, insurance policies, and maintenance contracts.
  • Security incident reports: Analyze physical security incidents to identify vendors with facility access.

Contractor discovery

  • Payroll system analysis: Look for 1099 payments and contractor classifications in payroll systems.
  • Badge and access logs: Identify non-employee access patterns in physical and logical access systems.
  • Project management tools: Review project assignments and resource allocations for external participants.

Shadow IT discovery

  • Network traffic analysis: Use DNS logs and web gateway data to identify unauthorized cloud services.
  • Browser extension monitoring: Deploy tools that can inventory browser plugins and extensions across your fleet.
  • OAuth application audits: Regularly review connected applications in major SaaS platforms like Office 365 and Google Workspace.
  • Credit card transaction mining: Systematically review corporate card transactions for SaaS subscriptions and digital services.

What’s next

In our next post, we’ll tackle one of the most challenging aspects of vendor management: how to prioritize and tier vendors based on actual risk rather than just financial spend. We’ll explore why the traditional approach of using contract value as a proxy for risk assessment fails, and provide a practical framework for risk-based vendor classification.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

How to prepare your organization for a post-quantum world

Quantum computing is on the horizon, and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections, what we call quantum decryption, could undermine the trust, confidentiality, and resilience of digital business. This briefing series distills a highly technical topic […]

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]