Vendor Security: How to Vet Third-Party Tools and Services
Your security posture isn't just determined by the controls you apply to your own systems — it's determined by the weakest link across all the tools, services, and people you've given access to your data and infrastructure. In a modern business running on dozens of SaaS products and working with external contractors, that's a significant extension of your attack surface.
Third-party risk management sounds like enterprise terminology, but the underlying problem is universal. Small businesses are breached through their vendors. Customer data is exposed through a poorly secured integration. Contractor credentials become the entry point for attackers. A security review process doesn't need to be elaborate to be effective — but it does need to exist.
The Third-Party Risk Problem
Every time you connect a new SaaS tool to your existing systems, you extend trust to that tool's security practices. Every time a contractor accesses your systems, you extend trust to their device security, credential management, and awareness of threats. Every time a vendor stores or processes your data on your behalf, you extend trust to their data protection controls.
That trust is not always warranted. Vendors get breached. Contractors have weak passwords and no MFA. SaaS tools get abandoned and stop receiving security updates. Integrations that were set up for a specific project linger with access long after the project ends.
The 2020 SolarWinds breach is the most famous example of third-party risk at scale — a trusted software vendor became the vector for attacks affecting thousands of organisations. But third-party incidents affecting small businesses are far more common and far less newsworthy: a bookkeeping tool that suffers a data breach and exposes your financial records; a contractor whose laptop is compromised and becomes the entry point to your systems; a SaaS vendor who closes down but whose staff still have access to historical data.
What Can Go Wrong
To understand what you're reviewing for, it helps to think about the categories of harm:
Data exposure. A vendor stores your customer data or business information and suffers a breach, misconfigures their storage, or fails to properly delete data after termination.
Access abuse. A contractor or vendor has ongoing access to your systems and either misuses it deliberately or has their own credentials compromised by an attacker.
Supply chain attacks. Software or services you use are compromised by attackers at the vendor level, who then use that position to attack their customers — including you.
Service availability. A vendor you depend on suffers an outage, a ransomware attack, or simply shuts down, taking with them data or functionality your business depends on.
Compliance violations. A vendor who processes personal data on your behalf fails to meet data protection requirements, creating regulatory liability for you even though the vendor was at fault.
Building a Vendor Review Process
A vendor review process doesn't need to be a bureaucratic ordeal. The goal is to make security a consistent part of vendor selection and onboarding, not an afterthought.
Define what triggers a review. At minimum, any vendor or contractor who will access your systems, store your data, or process sensitive information should go through a review. That includes new SaaS tools, new contractors, and new integrations.
Define the depth of review based on risk. A low-risk tool that handles non-sensitive, non-personal data doesn't need the same scrutiny as a vendor who will have access to customer records or financial data. A tiered approach — light-touch for low-risk vendors, full review for high-risk ones — is more sustainable than applying the same rigour to everything.
Create a simple intake form. A short questionnaire that asks vendors about their security practices, data handling, certifications, and incident history creates a consistent record and signals that security is part of your vendor relationship.
What to Look for in a Security Review
For vendors handling sensitive or regulated data, the key questions are:
Do they have relevant security certifications? ISO 27001, SOC 2 Type II, and Cyber Essentials Plus are the most commonly cited. These are not guarantees of good security, but they indicate that the vendor has invested in independent assessment of their practices. Ask for the certificate or the audit report, not just a checkbox on a webpage.
Do they have a published security policy or information security documentation? Reputable vendors make this available on their website or on request. If a vendor can't articulate their security practices, that's a red flag.
Have they suffered any material security incidents in the past? Ask directly. Vendors should be transparent about incidents that affected customer data. Check public sources as well — press coverage, regulatory enforcement actions.
How do they handle data at the end of the relationship? Confirm that data will be returned or deleted promptly upon termination. Get this in writing.
What are their sub-processor arrangements? Vendors often use their own third-party services. Under GDPR, you have rights over data that your vendor shares with their sub-processors. A reputable vendor will have a published sub-processor list.
What is their patching and vulnerability management practice? How quickly do they address known vulnerabilities? Do they have a responsible disclosure or bug bounty programme?
Contractual Protections
Security reviews are only part of the picture. The relationship needs to be backed by contractual terms that protect your interests.
Key clauses to include or verify:
Data processing agreements. Under GDPR, these are mandatory for any vendor processing personal data on your behalf. They specify the purpose, scope, and nature of processing, and establish the vendor's obligations as a data processor.
Breach notification obligations. Require that the vendor notifies you promptly — within 24 to 72 hours — if they suffer a breach that may affect your data. This gives you time to meet your own regulatory notification obligations.
Right to audit. For high-risk vendors, reserve the right to conduct security audits or require audit reports at defined intervals.
Data deletion upon termination. Specify that data must be deleted and that deletion must be confirmed in writing within a defined period after the relationship ends.
Liability and indemnification. In the event of a vendor-caused breach, understand your ability to recover losses. Many standard vendor contracts heavily limit liability — negotiating improved terms on this front is worthwhile for high-risk relationships.
Ongoing Vendor Monitoring
A one-time review at onboarding is not sufficient. Vendor relationships evolve, and so does vendor security.
Conduct an annual review of your highest-risk vendors. Ask whether anything has materially changed — have they suffered incidents, changed their security certifications, been acquired, or changed their data sub-processors?
Monitor for public news about vendor security incidents. A simple Google alert on your most critical vendors' names combined with terms like "breach" or "security" provides low-effort early warning.
Review access at least annually. For each vendor and contractor, confirm that the level of access they have is still appropriate and that stale access from completed projects has been revoked.
When a vendor relationship ends, treat offboarding with the same rigour as staff offboarding: revoke access, confirm data deletion, and update your vendor register.
Conclusion
Third-party risk is not a problem you can solve once. It's an ongoing aspect of how your business operates. But with a lightweight, consistent process — a short review at onboarding, appropriate contractual protections, and an annual check on your most critical relationships — you can significantly reduce the risk that a vendor or contractor becomes the weakest link in your security posture.
The businesses that get caught out by third-party risks are usually the ones that never stopped to ask the questions. The process of asking the right questions, consistently, is most of the work.