#third-party-risk

#third-party-risk

Research analyzing 4,700 leading websites reveals that 64% of third-party applications now access sensitive data without business justification, up from 51% in 2024. Government sector malicious activity spiked from 2% to 12.9%, while 1 in 7 Education sites show active compromise. Specific offenders: Google Tag Manager (8% of violations), Shopify (5%), Facebook Pixel (4%).

Enterprise IT execs know well the dangers of relying too much on third-parties, how automated decision systems need to always have a human in the loop, and the dangers of telling customers too much/too little when policy violations require an account shutdown. But a saga that played out Tuesday between Anthropic and the CEO of a Swiss cybersecurity company brings it all into a new and disturbing context.

When Fortra disclosed CVE-2025-10035 in GoAnywhere MFT, security teams would have experienced a familiar sinking feeling. Another critical vulnerability. Another emergency patch cycle. Another race against ransomware operators. Yet, this latest maximum-severity flaw revealed something more troubling than a single vendor's coding error. It exposed the fundamental fragility of how organizations handle their most sensitive data transfers. Unfortunately, the numbers don't lie. According to our research, Managed File Transfer (MFT) platforms carry a sky-high risk score (4.72), outpacing nearly every other data transfer technology.

One of the brutal truths about enterprise disaster recovery (DR) strategies is that there is virtually no reliable way to truly test them. Sure, companies can certainly test the mechanics - but until disaster strikes, the recovery plan is activated and 300,000 workers and millions of customers start interacting with it, all bets are off.

The Log4j vulnerability in 2021 served as a wake-up call for how vulnerable today's supply chains are. Four years later, this remains apparent amid the recent incident at F5 which has impacted a number of businesses globally. These types of attacks continue to expose the increasingly sophisticated cyber threats that exist as a result of a growingly complex landscape. Third-party ecosystems are now one of the most profitable attack avenues as when one supplier is compromised, the effects can quickly ripple through entire industries. All partners are then exposed to fallbacks like revenue loss, reputational damage and operational disruption.

You can't outsource accountability, but many organizations are doing just that, often without even realizing it. This is especially the case when it comes to data. As businesses rely more heavily on third-party suppliers to store, move, and manage their data, the risk of something going wrong multiplies. Whether that's compliance, the ability to restore lost data, or susceptibility to cyber attack.

The report found that 68% of security leaders are concerned about the risks of third-party software tools and components introduced across their tech stacks. Seventy-three percent reported receiving at least one notification of a software supply chain vulnerability or incident in the past year. According to the report, 60% believe attackers are evolving too quickly to maintain a truly resilient security posture and 46% are uneasy about AI-driven features and large language models.

"We are aware that some e-commerce customers have been directly contacted by someone purporting to have taken some personal data from one of our third-party providers' systems," a Harrods spokesperson told Computer Weekly. "We have notified all relevant authorities, including the National Cyber Security Centre and the Metropolitan Police Cyber Crime unit, and they are actively investigating. "Negotiating with cyber criminals does not result in any guarantees as to what they may do with the information they have accessed," the spokesperson said.

Cloud platforms, outsourced IT, and digital trading systems power day-to-day operations - but they also introduce serious risks. Cyberattacks, system failures, and supplier disruptions can trigger regulatory breaches, financial losses, and reputational damage. To strengthen the resilience of Europe's financial system, the EU introduced the Digital Operational Resilience Act (DORA), often called the DORA Directive. Although the UK is no longer part of the EU, DORA still applies to many UK firms.

More than 19,300 individuals are employed at Workplace across North America, EMEA and APJ. The client list contains more than 11,000 companies across a range of sectors, including almost two-thirds of the Fortune 500 companies. According to the organization's on the incident, Workday was targeted by a social engineering campaign. The post stated, "In this campaign, threat actors contact employees by text or phone pretending to be from human resources or IT. Their goal is to trick employees into giving up account access or their personal information."

CyberStrong is designed for enterprise-level cyber risk management, enabling quick identification and quantification of cyber risks while prioritizing controls using financial metrics.

Sensitive secrets required for this access are often stored in an insecure manner by default," Schwake said. "This situation presents a key API security challenge for security teams, and with services like ChatGPT heavily depending on APIs to access and handle user data, this poses an even greater risk.