You patched your own systems. You have MFA. Your firewall is solid. But your accounting software vendor, your IT support contractor, and your cloud backup provider โ have you checked theirs lately?
For most of the 2010s, attackers came at organisations directly โ exploiting unpatched software, brute-forcing weak passwords, or sending phishing emails hoping to land inside the target network. Defenders responded with better patching, stronger authentication, and improved email filtering. The direct attack surface got harder and more expensive to breach.
Attackers are rational. When direct attacks become costly, they find cheaper paths. The cheaper path turned out to be your vendors.
Every business today runs on a web of third-party software, services, and contractors. Your accounting platform, your managed IT provider, your cloud backup service, your payroll processor, your CRM, your e-signature tool โ each one has credentials, network access, or data pipelines into your environment. And each one is a potential entry point that you don't control and probably don't monitor.
62% of data breaches now involve a third-party vendor or supply chain component. For SMBs specifically, that figure is rising โ because attackers have learned that small businesses are connected to large enterprises through their shared vendors, making SMBs a stepping stone into much larger targets.
The scale of supply chain attacks is what makes them uniquely dangerous. When an attacker compromises a single widely-used vendor, they gain simultaneous access to every customer of that vendor. Three incidents define the modern threat landscape.
Progress Software's MOVEit file transfer tool was used by thousands of organisations to move sensitive data. A single SQL injection vulnerability allowed the Cl0p ransomware group to exfiltrate data from over 2,700 organisations โ including government agencies, pension funds, universities, and healthcare providers โ in a matter of days. Most victims had done nothing wrong themselves. They had simply trusted a vendor.
The SolarWinds attack became the template that every sophisticated threat actor now studies. Attackers compromised the build pipeline of SolarWinds' Orion platform and inserted malicious code into a legitimate software update. When customers applied what they believed was a routine patch, they installed a backdoor. The attack affected 18,000 organisations including US government departments โ all through a single trusted software vendor.
The XZ Utils backdoor showed that state-level attackers are willing to invest years to compromise a supply chain. A threat actor spent two years building trust as an open-source contributor before inserting a sophisticated backdoor into a compression library present on millions of Linux systems. It was caught by accident. Similar campaigns, not yet discovered, almost certainly exist.
You might assume these attacks target enterprises โ the organisations with large volumes of valuable data. That assumption is dangerously wrong in 2026.
SMBs are targeted through their vendors for two distinct reasons. First, attackers know that SMBs are connected to larger organisations โ as suppliers, subcontractors, and service providers. Breaching an SMB through a shared vendor gives access to the SMB's customer list, contracts, and potentially a trusted communication channel into larger enterprises. The SMB is not the end target; it is the pivot.
Second, and more directly, SMBs hold valuable data โ customer payment information, employee records, healthcare data, legal documents โ and they are far less likely to be monitoring their vendor security posture. Attackers go where detection is lowest. An SMB that has never audited its vendor risk profile is a much easier target than an enterprise with a dedicated third-party risk management team.
Most SMBs cannot answer basic questions about their vendors: When did their SSL certificate last expire? Do they have an exposed admin panel? Have their IP ranges appeared in threat feeds? Have their employee credentials been leaked in a breach? If you can't answer these questions, you are flying blind on your most significant attack surface.
Vendor security monitoring isn't about demanding SOC 2 reports and filing them away. It's about maintaining continuous visibility into the observable security posture of every organisation that has access to your data or systems. Here's what matters.
An expired SSL certificate is a signal โ it means the vendor's security hygiene has slipped. It's also a practical risk: expired certificates cause service disruptions and can be a precursor to a compromised domain. But beyond expiry, check certificate configuration: weak cipher suites, old TLS versions (1.0/1.1), and self-signed certificates on anything customer-facing are all red flags.
Internet-exposed admin interfaces โ Webmin, phpMyAdmin, router admin panels, RDP, VNC โ are prime attack targets. A vendor with an exposed admin panel on their public IP range has a significant vulnerability in their perimeter. Open ports that shouldn't be public (database ports, SMB, SNMP) indicate either misconfiguration or lack of ongoing security review. Both are warning signs.
If your vendor doesn't have a DMARC policy at p=reject, attackers can send emails that appear to come from your vendor's domain. That means a phishing email impersonating your IT support contractor, your payroll provider, or your legal team will arrive in your employees' inboxes looking completely legitimate. Vendor email authentication status is a direct threat to your organisation.
Has your vendor's domain appeared in known breach datasets? Have employee credentials from their organisation been posted on dark web markets or paste sites? A vendor whose staff have leaked credentials is at elevated risk of account compromise โ and a compromised account at your vendor can be used to pivot into your systems through legitimate, trusted communication channels.
Attackers register lookalike domains โ acme-corp.com instead of acmecorp.com, acmecorp.net instead of acmecorp.com โ in advance of phishing campaigns targeting a vendor's customers. If a lookalike domain for one of your vendors appears and starts sending email, your employees are about to receive very convincing phishing. Monitoring for newly registered lookalike domains gives you days of warning before the attack lands.
The honest answer is that monthly checks are not enough. Security posture changes constantly โ SSL certificates expire, misconfigurations are introduced during deployments, breach data is published on a daily basis. A vendor who was clean on the 1st of the month may have an exposed admin panel by the 3rd and a published credential leak by the 10th.
Effective vendor monitoring is continuous โ not a point-in-time snapshot. You need to be alerted within hours of a change in your vendor's security posture, not weeks later when you run your next manual check. The difference between a one-day response and a three-week response is often the difference between a contained incident and a notifiable breach.
Manual vendor monitoring doesn't scale. If you have 10 vendors and you're manually checking each one weekly across SSL, open ports, breach data, email authentication, and domain reputation, that's a significant time investment that will slip the moment your team gets busy. The checks will get skipped, the cadence will slow, and the gaps will widen.
The practical solution is automated continuous monitoring with alerting. You define your vendor list, set your risk thresholds, and receive alerts when something changes โ not weekly summaries, but immediate notifications when a vendor's certificate expires, an admin panel becomes exposed, or their domain appears in new breach data. That's the difference between proactive vendor risk management and reactive incident response.
Practical tips, new threat intel, and product updates. No spam โ unsubscribe anytime.
Vendor Watch by EdgeIQ Labs monitors up to 10 vendors continuously across SSL, open ports, email authentication, breach data, and domain reputation. Get alerted the moment their security posture changes โ before it becomes your problem.
Start Monitoring Your Vendors โ