Your firewall is configured. Your passwords are strong. Your antivirus is up to date. You feel good about your security posture.
But your managed print vendor has remote access to three machines on your network. Your accounting software company can log into your server for support tickets. Your old IT provider — the one you stopped using eight months ago — still has credentials in your system.
You locked your front door. But you never checked who else has a key.
The Third-Party Access Problem Nobody Talks About
The two biggest enterprise cyberattacks in recent memory — SolarWinds in 2020 and Kaseya in 2021 — did not start with a phishing email to an employee. They started with trusted vendor software that attackers had compromised upstream. Thousands of businesses were breached because a tool they trusted, with access they approved, was weaponized against them.
This is the supply chain attack problem. And it is not just for Fortune 500 companies.
Your small business likely has vendors with some level of access to your systems right now. Remote monitoring tools. Cloud accounting platforms. Outsourced IT support. Payroll processors. Backup software that phones home to a vendor server. Every one of these connections is a door — and you need to know exactly who holds the key.
How Vendor Breaches Actually Happen
There are a few common patterns that show up in incident reports again and again:
- Compromised vendor credentials: An attacker gets into your vendor’s systems, then uses their legitimate access to hop into your network. Your logs show a login from a trusted source. Nothing looks wrong until it is too late.
- Malicious software updates: Vendor software pushes an update that contains malware. You auto-approved updates — everyone does. The attacker counts on it.
- Overprivileged access: Your vendor was given admin rights for a one-time project three years ago and those rights were never reduced. That access still exists and still carries full permissions.
- Departed vendor employees: The technician who had access to your systems left their company. Their account was never deactivated. Anyone who gets those credentials — an attacker or a disgruntled former employee — can still use them against you.
The Questions You Should Be Asking Every Vendor
Not every vendor will have perfect answers, but asking these questions puts them on notice that you take security seriously — and gives you real data to make decisions.
Access and Permissions
- What systems do you need access to, and why specifically?
- Is that access persistent, or only required during active support sessions?
- Do your technicians use multi-factor authentication on their own accounts?
- What is your process when one of your employees leaves the company?
Security Posture
- Do you carry cyber liability insurance?
- Have you experienced a security incident in the last 24 months, and what happened?
- Do you conduct penetration testing or third-party security audits?
- Are your employees trained on phishing and social engineering?
Contractual Protections
- Is there a data processing agreement in place between our companies?
- What is your breach notification timeline?
- What data of ours do you store, and where is it hosted?
If a vendor gets flustered, defensive, or suspiciously vague at these questions — that is information too. A vendor who cannot answer basic security questions about their own practices is a vendor who is not taking your risk seriously.
The Principle of Least Privilege — For Vendors Too
Least privilege is a foundational security concept: give every person and system only the minimum access needed to do their specific job — nothing more, nothing ever.
Your print vendor does not need access to your file server. Your payroll processor does not need admin rights on your workstations. Your IT support vendor should be using a privileged access management tool that logs every session, every action, every command — with access granted per-session on request, not left permanently open in the background.
Implementing least privilege for vendors is one of the highest-ROI security improvements a small business can make. It dramatically shrinks your attack surface without requiring a single dollar of new software spending.
Build Your Vendor Access Registry This Week
If you do not have one already, create a simple spreadsheet today. List every vendor that has any access to your systems, networks, or data. For each one, record:
- What access they have and at what permission level
- When that access was last reviewed and by whom
- The primary contact for security-related questions
- Whether a contract or data processing agreement is on file
Review it every quarter. When a vendor relationship ends, revoke access on the same day — not next week, not when you remember. The same day the relationship ends. This is one of the simplest, most effective security controls that most small businesses completely overlook.
What a Good MSP Does Differently
An MSP that actually takes security seriously will proactively manage third-party access on your behalf. That means maintaining your vendor registry, enforcing least privilege across all integrations, requiring MFA for every vendor session, and running monitoring tools that flag unusual activity originating from vendor accounts.
It also means being honest when a vendor they might prefer to work with does not meet your security requirements — even if it makes their job harder. Your security comes first.
At YourTech, vendor and third-party risk management is built into how we operate from day one. We do not hand out access and walk away. We treat every connection to your network like a door — and we track every key, every session, every change.
Want to know who currently has access to your business systems? Contact us for a vendor access audit. You might be surprised — and very relieved — by what we find.