The breach did not come through the front door. It came through the company that services the HVAC system. That is not a hypothetical I made up to scare you. It is roughly how attackers got into Target back in 2013, and it is still how a lot of small businesses get hit today. Somebody you gave access to, and then forgot about, turned out to be the soft spot.
I bring this up because when I ask a new client to list the outside companies that can touch their systems or their data, the first list is always too short. They name the obvious ones. The IT provider, the payroll company. Then we keep talking, and the list doubles. The marketing agency with a login to the website. The bookkeeper who has remote access to the server. The old point-of-sale vendor whose support account nobody ever turned off. The contractor from two years ago who still, somehow, has a key.
Their security is now your security
Here is the uncomfortable part. When you give a vendor access to your systems, you inherit their security posture whether you like it or not. If their laptop gets infected, your network is one hop away. If their password leaks, your data is what the attacker finds on the other side of it. You can run a tight ship and still get sunk by a vendor who does not.
Small businesses assume this is a problem for big companies with formal vendor management programs. It is actually worse for small businesses, because you tend to give vendors broad, standing access (it is easier than fiddling with permissions), and because nobody owns the job of keeping track. Access gets handed out and never reclaimed.
The afternoon that fixes most of it
You do not need software for this. You need a spreadsheet and an honest hour. Write down every outside party that can reach your systems or your data. For each one, answer four questions:
- What exactly can they get to? Be specific. “The website” is different from “the server with customer records.”
- Do they still need it? You will find at least one account that should have been closed months ago. Close it today.
- Do they log in with their own named account and MFA, or a shared password everyone knows? Fix the shared ones.
- If they got breached tomorrow, what would it cost you? That tells you which relationships deserve a real conversation.
That list, kept current, puts you ahead of most companies many times your size. The point is not to be paranoid about your vendors. Most of them are fine, and you need them to run your business. The point is to know who holds a key to your building, so that when one of them has a bad day, it does not quietly become your bad day.
Put it in the contract, gently
For the vendors who touch the data that matters most, it is reasonable to ask for a little in writing. That they use MFA. That they tell you within a few days if they get breached. That access can be revoked when the work is done. Reputable vendors will sign this without blinking, because they already do these things. The ones who push back hard have just told you something useful about how they operate.
Go make the list. The scariest part is usually how long it turns out to be, and the most satisfying part is how many old doors you get to close in a single afternoon.
Further reading
- From Resolute Security: When Your MSP Says They Handle Security
- From Resolute Security: Zero Trust Requires a High-Trust Team
- CISA supply chain security
- NIST Cyber Supply Chain Risk Management
- Not sure where you stand? Take the free 10-minute cyber readiness assessment.