Vendor
attack
surface —
the honest
guide.

Third parties are now the primary attack vector.

The Verizon 2025 Data Breach Investigations Report — the most comprehensive breach dataset available, covering 22,052 incidents and 12,195 confirmed breaches across 139 countries — found that third parties were involved in 30% of all confirmed data breaches. That figure doubled in a single year, up from 15% in the 2024 report.

IBM's 2025 Cost of a Data Breach Report, published in July 2025, found supply chain compromise was the second most common attack vector and the second costliest at USD $4.91 million per breach. More importantly: supply chain breaches took an average of 267 days to detect and contain — 26 days longer than the overall average. Attackers are inside for nearly nine months before discovery.

SecurityScorecard reported that 35.5% of all data breaches in 2024 originated from third-party compromises, and that 98% of organisations have a relationship with a third party that has been breached. For practical purposes, every organisation has a third-party exposure problem. The question is whether they know where it sits and how material it is.

The vendor ecosystem problem compounds at scale. The average organisation now manages 286 third-party vendors, up from 237 in 2024. For each direct vendor, there are nearly 14 times more fourth and fifth parties operating further down the chain (Cyentia Institute). A tier-1 bank assessed by Risk Ledger identified, within 48 hours, 36 fourth-parties, 175 fifth-parties, 15 sixth-parties, and 27 seventh-parties connected to just 14 direct suppliers.

What the vendor attack surface actually is.

The vendor attack surface is not a single risk — it is every pathway through which a third-party relationship can introduce security exposure. It expands every time you add an integration, grant access, or acquire a new vendor. Most organisations don't have a current and accurate map of it.

The techniques in active use.

Island hopping

Island hopping is the most common supply chain attack pattern: compromise a smaller, less-defended organisation to reach a larger target. The smaller organisation provides a trusted bridge — network connectivity, a shared credential, a software component — that the attacker exploits to pivot. Carbon Black's 2019 Global Incident Response Threat Report found island hopping accounted for 41% of all cyberattacks studied.

The Target breach (2013) remains the canonical example: attackers phished Fazio Mechanical Services, an HVAC contractor, obtained credentials for Target's billing portal, pivoted to the point-of-sale network, and stole 40 million credit card numbers. Target's security team received alerts they did not act on. The contractor was the entry point; Target bore the consequences.

Credential harvesting through vendor portals

Vendors access client systems through portals, VPNs, remote desktop, and admin consoles. Attackers target the vendor — often less defended than the ultimate target — to obtain credentials that provide legitimate, trusted access. The Change Healthcare breach (2024) exposed data on approximately 190 million Americans because there was no MFA on a remote access portal used by a vendor. No exploited vulnerability. No malware at the entry point. Just valid stolen credentials and an absent second factor.

Trusted relationship exploitation

Reverse business email compromise (reverse BEC) involves attackers compromising a vendor's mail server and launching attacks from a trusted, authenticated domain. Because the email genuinely originates from the vendor's infrastructure, it passes SPF, DKIM, and DMARC checks — and clears email security tools that flag unknown senders. The recipient has no technical signal that anything is wrong.

What the third-party thread looks like in Australian breaches.

Three of Australia's most significant recent cyber incidents share a common factor: the initial compromise came through, or was significantly enabled by, a third-party relationship. The pattern is consistent — and consistently underexamined.

What the law actually requires.

Australian organisations face overlapping third-party security obligations across five regulatory instruments. Many organisations treat these as separate compliance programmes — but they share a common underlying requirement: you are accountable for what happens to your data and systems regardless of which vendor is holding or touching them.

Where third-party risk programmes break down.

APRA's tripartite assessment findings, combined with Gartner, Ponemon/RiskRecon, and IBM research, consistently surface the same failure patterns. Most are not complex to fix — they require process discipline, not technology investment.

• 1
  Over-reliance on questionnaires and self-assessments

  Only 4% of organisations have high confidence that their third-party questionnaires match reality (RiskRecon/Ponemon 2024). APRA found entities "relied heavily on control self-assessments... and had not taken any steps to independently verify that information security controls were effective." 26% of respondents still use spreadsheets to manage third-party risks. A questionnaire tells you what a vendor believes about their own security — or wants you to believe. It tells you almost nothing about actual control effectiveness.
• 2
  Annual point-in-time assessment for dynamic risk

  With supply chain breaches taking 267 days to detect, annual assessments leave organisations blind for most of the year. Gartner reported third-party interruptions surged 45% year-over-year in 2024. Nearly 50% of companies do not even rank vendors by risk level. A vendor that was compliant in January can be compromised in February. Annual reviews create a false confidence interval between assessments.
• 3
  No fourth-party (Nth-party) visibility

  For each direct vendor, there are nearly 14 times more fourth and fifth parties beyond them (Cyentia Institute). CPS 230 explicitly requires service provider management policies covering fourth-party risks. ISO 27001 A.5.21 requires agreements to mandate suppliers propagate security requirements to their sub-contractors. Most organisations have accurate maps of their Tier 1 vendors and no visibility at all beyond them — which is exactly where MOVEit, SolarWinds, and Kaseya entered.
• 4
  Inadequate or generic contractual provisions

  Gartner 2024 identified "generic contracts with broad language that lacked specificity" as a primary failure mode. Commonly absent clauses: right-to-audit, specific incident response timeframes, data return or destruction at termination, encryption requirements, sub-processor notification, and patch management obligations. Without breach notification timelines contractually specified, the vendor controls timing while your regulatory clock runs. An NDA alone does not satisfy ISO 27001 A.5.20 — it addresses only confidentiality, not integrity or availability.
• 5
  Poor offboarding and access revocation

  Over 30% of organisations take more than three days to revoke all system access after a contractor engagement ends — some never fully complete the process (SecurEnds). Enterprises average 275 SaaS applications, making comprehensive account management extremely difficult. Orphaned contractor accounts are a primary attacker target precisely because they are active, legitimate, and unwatched.
• 6
  Shadow IT and unsanctioned vendor relationships

  65% of all SaaS applications are unsanctioned and in use without IT approval. Gartner projects this will reach 75% by 2027. Shadow vendors bypass the TPRM process entirely — they never receive a questionnaire, never sign a security addendum, and never enter the vendor register. Shadow AI is an emerging frontier: 55% of knowledge workers tried generative AI tools without approval in Q3 2023 (Gartner), creating new data exposure risks at scale with no controls in place.
• 7
  Treating certifications as sufficient without scoping review

  SOC 2 and ISO 27001 certifications have specific, often limited scopes. A certificate confirms the audited scope was assessed at a point in time — it does not confirm all relevant controls were in scope, are currently effective, or cover the specific service you are using. 40% of the time, business sponsors move forward with vendors despite known cyber risks because of ineffective TPRM programmes (Gartner 2024). Certificate review without scope analysis is false assurance.
• 8
  No coordinated incident response with vendors

  Only 34% of organisations have confidence a third party would notify them of a breach (Ponemon/RiskRecon). IBM 2025 found supply chain breaches cost ~40% more to remediate than internal breaches. Without contractual notification timelines, tabletop exercises that include vendor scenarios, and tested escalation paths, organisations discover third-party incidents through media reporting — after APRA's 72-hour clock has already started running without their knowledge.

A working TPRM programme.

Vendor tiering by criticality and data sensitivity

The foundation of an effective programme is tiering — classifying vendors by the actual risk they represent, not treating all 286 of them the same. APRA CPS 234 Para 16 effectively mandates this by requiring assessment "commensurate with potential consequences." NIST CSF 2.0 GV.SC-04 explicitly requires knowing and prioritising suppliers by criticality.

Unknown access defaults to Tier 1. If you cannot accurately determine what access or data a vendor has, treat them as critical until you can. This conservative default prevents the common failure mode where an apparently low-risk vendor turns out to have access that was never formally scoped.

Contractual security requirements that actually protect you

The contract is your primary enforcement mechanism. Once an incident occurs, the contract determines whether you have notification rights, audit access, liability, and termination options — or nothing. Key clauses that must be present for Tier 1 and Tier 2 vendors:

• →Breach notification within 24–48 hours of discovery — with scope, affected data, affected count, and remediation steps. This is your only defence against APRA's 72-hour clock running without your knowledge.
• →Right-to-audit provisions — without this, you cannot independently verify any claim a vendor makes about their controls. Required under ISO 27001 A.5.20.
• →Sub-processor notification and approval — any change to the vendor's own supply chain that could affect your data requires your prior approval.
• →Data return and secure destruction at termination — specific timelines, specific standards, written confirmation required.
• →MFA and access control requirements — particularly for any access to your systems, networks, or data.
• →Cyber insurance minimum requirements — commensurate with the data or systems they can access.
• →Termination for material security failures — without this clause, you may be contractually bound to a vendor you can no longer trust.

Moving beyond questionnaires to continuous monitoring

Security rating services, threat intelligence feeds, and external attack surface management tools provide dynamic, evidence-based views of vendor posture that questionnaires cannot. 88% of organisations now leverage security ratings as part of assessments (Whistic 2025). Trigger-based reviews — activated by vendor breaches, M&A activity, certification lapses, or financial deterioration — ensure assessment frequency matches actual risk change, not a calendar.

Board reporting on third-party risk

ASD's Cyber Security Priorities for Boards 2025–26 includes specific supply chain questions boards should be asking. 77% of boards now discuss material and financial implications of cyber incidents, up 25 points since 2022 (NACD 2025). Key metrics boards should receive: percentage of Tier 1/Tier 2 vendors with completed current assessments; open remediation items and aging by vendor; third-party incident count and trend; and concentration risk — how many critical operations rely on the same vendor or cloud provider.

What A.5.19 through A.5.23 require.

ISO 27001:2022 dedicates five controls specifically to supplier security — A.5.19 through A.5.23 — with A.5.21 and A.5.23 being new in the 2022 revision. These controls are the most detailed framework treatment of third-party risk in any mainstream security standard, and they directly overlap with what APRA, the Privacy Act, and SOCI require.

What a Lighthouse Assessment delivers for third-party risk.

Third-party security risk sits across multiple assessment domains — APRA CPS 234 Para 16/20/21/22/28/32–34, CPS 230 material service provider requirements, ISO 27001 A.5.19–23, Privacy Act APP 8 and 11, and SOCI CIRMP supply chain obligations. Most organisations discover gaps in these areas only when an APRA reviewer or auditor finds them.

The Cliffside Lighthouse Assessment maps your current vendor security programme against each of these requirements, gives you a calibrated view of where you stand relative to the standard you will be measured against, and tells you — honestly — what is material and what can wait.

• →Third-party asset inventory and tiering — APRA Para 16 and 20 alignment
• →Contractual gap analysis against ISO 27001 A.5.20 requirements — right-to-audit, notification timelines, sub-processor provisions
• →Assessment methodology review — are you relying on questionnaires alone, and is that consistent with Para 28 and APRA's current expectations?
• →CPS 230 readiness — material service provider register, due diligence processes, APRA access provisions
• →Incident notification protocol review — does your vendor breach notification process let APRA's 72-hour clock run without your knowledge?
• →Shadow IT and unsanctioned vendor identification — what's in use that isn't in your register?
• →Board reporting framework for third-party risk — does your board receive what APRA expects them to receive?
• →Transferable report — yours to present to internal audit, your board, or APRA

APRA's tripartite findings are unambiguous: entities consistently underestimate their third-party exposure and overestimate their programme's effectiveness. If your third-party risk programme was designed before CPS 230 came into force in July 2025, it was built against a framework that no longer exists.