In a single year, the share of data breaches involving a third-party vendor doubled, from 15 to 30 percent.

That figure comes from Verizon’s analysis of more than 12,000 confirmed breaches in 2025, and at first reading it looks like a failure of vendor security. The truth is closer to the exact opposite.

When your front door holds, the attacker turns to a side door you had stopped treating as yours.

That door is rarely a system. It is a person: someone on the vendor’s staff, vetted as a company but never as an individual.

And no vendor questionnaire in the world accounts for that.

 

Where the chain breaks

A vendor breach follows a pattern, and the pattern is human.

In April 2025, the attackers who hit Marks & Spencer could not breach the retailer directly, so they went around it. Posing as M&S staff, they convinced a third-party help desk to reset a password, then used the credentials to walk into M&S’s systems. The intrusion brought months of disruption, and a profit hit later estimated at around £300 million.

No firewall failed. No certificate lapsed. The chain ran from a phone call to a password reset, and then to everyone downstream. Not one link in it was a machine.

 

The relief that keeps it broken

Here is the uncomfortable part, and it also has nothing to do with technology.

When a breach traces back to a supplier, something in us quietly relaxes. It wasn’t our team. It wasn’t our mistake. The blame slides somewhere down the contract and the pressure lifts.

Few people will admit to the relief, but most of us have felt it. That quiet exhale is exactly what keeps the problem alive.

If the fault was theirs, we have nothing to fix, we’ll file the incident and move on.

The relief is the trap. It turns a hole in your own defenses into someone else’s paperwork.

However, that resignation is misplaced. There was something to be done, and there still is

.

What the form never asks

The answer begins with what the form leaves out.

Every vendor assessment measures posture: the firewall, the certification, the data encrypted at rest. Posture is what a company has, and it fits neatly on a page, which is precisely why it reassures us.

But attackers do not test what a vendor has. They test what its people do when a convincing stranger applies pressure. That is capability, and no certificate predicts it.

So, you must test that too.

Put to the vendors who hold real access a question almost nobody puts to them: “if someone calls your helpdesk tomorrow claiming to be us and asks to reset an account, what stops them?”

It is a small question, yet the answers reveal more than any form does.

Some will have a clear, practiced answer, and you can relax. 
 Some will know they ought to have one and reach for it without quite landing it, which is workable.

And some will have nothing at all. Treat that silence as you would a failed penetration test. It’s not a catastrophe, but a finding, caught while it is still cheap to fix.

Either way, you end the conversation knowing something you did not know before, which is the first step back into control.

 

Permission to call back

Wherever the answer comes up short, the remedy is the same, and it works the way the problem does.

You cannot train another company’s staff, and you have no business trying. What you can do is build them an exit.

Agree, in writing, on a second, secure channel: any sensitive request must be confirmed on a number both sides already hold, before anyone acts.

It costs five seconds and a single sentence. Let me check something and call you back. That sentence is not suspicion. It is permission, granted in calm conditions, to refuse a stranger without having to be brave in the moment.

The channel is incidental. A phone call, an email, a message from a name the recipient knows: each deserves the same reflex, a request confirmed through a route the sender does not control.

Give the people at your vendors that permission, on every channel, and the method of approach stops mattering.

The attacker owns the call. The callback belongs to you.

Make it routine and the attacker goes looking elsewhere. Protect your vendor’s people as carefully as you protect your own, and you will finally shut the door you kept mistaking for someone else’s.

 

This article was written by Cywareness, a company specializing in cybersecurity awareness.

As part of its mission, Cywareness continues to monitor emerging trends, analyze real-world attacks, and share practical insights to help organizations stay ahead in today’s evolving threat landscape.