Firms Eye Vendor Vulnerabilities as Enterprise Cybersecurity Risks Surge

Third-party risk is escalating sharply, with data breaches involving vendors and service providers doubling last year from 15% to 30%. This sharp increase highlights the growing vulnerability of interconnected business ecosystems. Traditional security assessments are no longer sufficient; organizations are increasingly adopting continuous cyber risk monitoring powered by AI and machine learning to detect threats in real time and minimize breach impact.

AI plays a dual role in cybersecurity, serving both as a powerful defense tool for real-time threat detection and as a potential weapon in the hands of attackers, underscoring the need for secure-by-design systems and zero-trust architectures. In today's age of hyperconnectivity, what happens to your enterprise partners will eventually happen to you.

The tech sector thrives on rapid innovation, agile partnerships and application programming interface (API)-driven interconnectivity; an ethos that has evolved across other industries. However, this very dynamism has created an attack surface far broader than traditional organizations can be used to cover. As evidenced by the recent data breach involving a customer service provider reported at Adidas, the weakest links in the digital chain are often not the companies themselves, but the shadow networks of service providers and infrastructure enablers surrounding them.

According to the Verizon 2025 Data Breach Investigations Report, credential theft and ransomware attacks are surging in frequency and sophistication. In 2023, just 15% of data breaches involved third parties such as vendors, service providers and platforms that handle customer or operational data. Fast forward to last year, and the percentage of third parties involved in data breaches has now doubled to 30%, nearly one in three.

The interdependence between businesses and their third-party providers is a practical vulnerability that can inform decisions around buying, building or partnering in security-critical sectors such as financial services and payments. "In 2021, there were 400 data breach lawsuits filed," Philip Yannella co-chair of the privacy, security and data protection practice at Blank Rome and the author of 'Cyber Litigation: Data Breach, Data Privacy & Digital Rights,' 2025 edition, told PYMNTS. "Last year, there were over 2,000."

"Data breaches are always the biggest danger, particularly for financial institutions... We're going to go through a period where we see more breaches — potentially more expensive breaches — until companies can get their arms around how to deal with them," Yannella added. "If you're a bank, you've got to worry quite a bit about your vendors."

As the Verizon report noted, while humans are still involved in roughly 60% of breaches, whether through phishing, misconfigurations or leaked credentials, the source of those human lapses is often outside the perimeter of the affected organization. Against this backdrop, security is increasingly becoming a non-negotiable part of vendor evaluations, just like financial stability or service-level agreements.

Even so, traditional vendor assessments such as questionnaires, SOC 2 reports, and annual audits can prove insufficient in today's fluid risk environment. Increasingly, FinTechs and banks are shifting toward continuous cyber risk monitoring. This approach can commonly use machine learning models and artificial intelligence (AI) trained on petabytes of telemetry data to flag suspicious activity, such as abnormal login patterns or unsanctioned data access, within seconds.

The goal: shrink dwell time and cut off lateral movement inside sensitive systems. While the architecture of modern business may demand a new kind of openness, the architecture of modern security must still evolve to meet it. Modern cyber audits are evolving to become continuous, data-driven processes rather than episodic reviews.

Platforms now ingest structured and unstructured data from across the enterprise — such as server logs, access records and transaction metadata — and use them to detect emerging threats. Emerging technologies such as zero-trust architecture, confidential computing and AI explainability frameworks are helping companies bake security into their systems from day one.

In this context, AI has emerged as both shield and sword in the battle for digital trust. From autonomous drones to AI-powered hacking tools, the militarization and criminal use of AI are expanding the landscape of digital threats. At the same time AI-powered tools can monitor networks in real time, detect anomalies and respond to threats faster than any human could.

For modern enterprises, the next data breach may come through a door they didn’t even know existed. The question isn’t whether third-party risk is real. It’s whether organizations are ready to face it head-on.