COMMENTARY: Third-party risk was once treated as a compliance exercise – acknowledged, documented, and reviewed periodically. That approach worked when vendors were considered operational dependencies, not primary attack vectors. That world no longer exists. Today, trusted connections are one of the fastest and most reliable paths into otherwise secure networks. The 2025 Verizon Data Breach Investigations Report found that breaches involving third parties have doubled in the past year and now account for roughly 30% of all incidents. [SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Government systems, financial institutions, major enterprises, and technology platforms all face the same reality: attackers are systematically exploiting trust. Expanding ecosystems, expanding exposure What was once a contained group of vendors has evolved into sprawling, interconnected ecosystems. Organizations now rely on hundreds, sometimes thousands of third-party integrations to operate. Every connection expands the attack surface. More than half of organizations experienced a third-party breach in the past year. In Europe, 96% of the largest financial services firms reported third-party incidents, and 97% were impacted through fourth parties – the vendors of their vendors. A single weak link can compromise the entire chain. There’s a clear structural problem: organizations depend on environments they do not own and cannot fully control. Security teams are responsible for defending risk they cannot directly see. Once attackers gain access through a trusted connection, the compromise doesn’t stop at the vendor. It moves directly into customer environments. Why traditional risk models fail Most third-party risk programs were not built for adversaries moving at machine speed. They rely on point-in-time assessments, questionnaires, and external scoring systems that attempt to infer security posture from the outside. These tools support governance. They do not stop active attacks. They cannot tell us whether a trusted vendor has been compromised right now. That’s the critical gap. Risk gets documented, scored, and archived, but not reduced in the moment it matters. While assessments are being reviewed, attackers are already moving laterally through trusted pathways. Reactive defense guarantees delayed response When a third-party breach surfaces, organizations are forced into incident response mode – determining what was accessed, how far it spread, and which connections we must sever. By then, the adversary has already achieved leverage. Treating vendors as secure until proven otherwise no longer works. Attackers map trust relationships faster than most organizations complete a quarterly assessment. Today, we have to assume compromise is possible and focus on detecting the earliest signs of targeting. That means identifying reconnaissance activity, subtle behavioral shifts across trusted integrations, and signals that a vendor has been profiled for exploitation. Attackers see the full ecosystem. Most defenders see only their perimeter. That’s the visibility gap where modern breaches begin. AI accelerates the threat AI has dramatically compressed the attack lifecycle. Adversaries now use AI to map ecosystems, identify weak links, and launch campaigns at scale, often in minutes. Thousands of operations can run in parallel with minimal human effort. At the same time, enterprises now use AI to automate workflows and deploy new third-party integrations faster than security teams can track them. The attack surface has expanded at machine speed. Manual defense cannot counter automated offense. Closing this gap requires a fundamentally different operating model. Traditional perimeter defenses remain necessary, but insufficient. Organizations need agile, intelligence-led capabilities that can identify threats early and disrupt them before impact. Advanced cyber risk intelligence (CRI) promises a path to that shift. It lets defenders detect targeting activity, understand which weaknesses are being profiled, and see reconnaissance across their extended ecosystem before exploitation begins. It moves security from reaction to disruption. What leaders should prioritize now Organizations looking to counter AI-driven adversaries must focus on executing the following five priorities: Third-party ecosystems will continue to grow. Attackers will continue to target the weakest link. And, AI will continue to accelerate both scale and precision. Outdated governance models cannot defend against machine-speed adversaries. Organizations that succeed will shift from periodic assessment to continuous intelligence. They will gain earlier visibility, detect targeting in its earliest stages, and counter threats before they land. It’s time to stop thinking of third-party risk as a compliance function. It’s one of the most exploited attack paths in the modern enterprise, and defending it demands a disciplined, intelligence-driven approach built for the speed of today’s adversaries. John Watters, chief executive officer, iCOUNTER SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Understand exactly what the organization exposes across its digital and third-party footprint.
- Detect reconnaissance and targeting activity at the earliest stage.
- Harden AI systems against manipulation, poisoning, and abuse.
- Use intelligence tailored to the environment, not generic feeds disconnected from the company’s risk profile.
- Align IT, security, legal, communications, and leadership so response moves at machine speed.
