The Blurring Lines of Trust: Rethinking Third-Party Risk for Organisational Resilience

The traditional security perimeter no longer exists. Today’s enterprises operate within sprawling ecosystems of suppliers, SaaS platforms, contractors, and outsourced partners — and that interdependence is becoming one of the greatest threats to organisational resilience. According to a recent report Zscaler commissioned, titled The Ripple Effect: A Hallmark of Cybersecurity, 68% of IT leaders say their organisations rely on contractors and third parties more than ever before, yet fewer than half have implemented sufficient third-party risk controls. The gap between reliance and readiness is no longer theoretical: 60% of organisations report they have already experienced a significant failure caused by a supplier or third-party vendor in the past year, and 63% expect another such incident within the next 12 months.

These failures rarely stay contained. When a supplier is breached or disrupted, the impact cascades — halting operations, exposing sensitive data, or crippling access to critical services. Despite this, only 42% of organisations say their cyber resilience strategy explicitly includes contractors and gig workers, and just 34% are highly confident their current controls can withstand supply chain volatility. In an environment where three quarters of IT leaders expect macroeconomic and geopolitical forces to force rapid operational pivots, resilience can no longer be inwardlooking. For too long, security focused on defending the "four walls" of the business. Today, true resilience demands treating every interaction, internally or externally, with a foundational level of scrutiny. The core challenge is simple: how do we maintain high standards of security and prevent catastrophic data exposure while still enabling necessary, efficient collaboration with external partners.

Understanding the Flavours of Third-Party Risk

The dangers posed by a compromised third party are not monolithic; they manifest in several critical ways, each posing a unique threat to business continuity and data integrity. In one of the most classic and devastating scenarios, a third-party vendor becomes a direct network conduit, enabling a lateral movement breach. A third-party vendor, perhaps a service provider with remote access to internal systems, suffers a security incident. Due to traditional, overly permissive network connectivity (like broad Virtual Private Network or IPsec tunnels), the attacker pivots effortlessly from the compromised vendor's network directly into the host organisation's environment. The third party becomes a conduit, and the "blast radius" of their breach immediately encompasses the business itself, leading to significant disruption and reputational damage.

A different but common threat stems from the simple reality of data oversharing. Many organisations unknowingly overshare critical data with their partners. Whether it’s sharing an entire database when only stock levels are needed or granting system-wide access when a limited function would suffice, this "oversharing" creates immense risk. If the third party is breached, the attacker gains immediate access to the full scope of the shared data. This means sensitive intellectual property, customer data, or operational details are stolen not because of the victim’s own security failure, but due to a partner’s risk that is often difficult to mitigate once data is handed over.

Another significant risk is functional business disruption, which is purely about the loss of service. In this scenario, the compromise of a third-party is purely functional. If a critical cloud provider, SaaS platform, or external service upon which the business relies goes offline due to a cyberattack (such as a Ransomware attack), the business loses the ability to perform necessary functions, crippling operations. While this doesn't involve a direct data breach of the host company, it severely impacts resilience and continuity.

Looking toward the future, the emerging threat of Agentic AI introduces a new, uncharted category of third-party risk. With companies beginning to deploy hundreds, if not thousands, of AI agents (synthetic employees) to perform tasks, these agents inherently need access to data and systems. Without clear security protocols, authentication mechanisms to verify the agent's identity, and defined legal liability, these powerful tools represent a profound and potentially unmanaged risk.

Tactics for Enhanced Resilience: Moving Beyond Least Privilege

To effectively mitigate these risks, organisations must evolve their approach from basic "least privilege" access to a more data-centric model focused on minimal information exposure and enhanced trust verification. The traditional Zero Trust principle of least privilege focuses on limiting who (user/device) can access what (application/network segment). The modern evolution is Least Information Design, which limits what information can be accessed or moved, even after a user has authenticated into a system. This shift means that policies are now based on data context and intent, providing granular access. For example, a contractor may access an SAP system, but policies can prevent them from viewing financial documents or merger and acquisition data specifically. Furthermore, this approach refines the control to least function. Does a user need to read, write, or delete data? Limiting their function to "read-only," for instance, drastically reduces the potential for malicious or accidental data damage. Finally, organisations can implement intent-based policy by leveraging AI/ML to understand the intent of a user action (e.g., analysing a prompt or a sequence of actions). This allows for the implementation of guardrails against abnormal or high-risk behaviour, regardless of the user's base privileges.

Oversharing is a direct result of requiring full information when only a simple validation is necessary. Zero-Knowledge Proofs offer a cryptographic solution to this problem. The central idea is straightforward: proving you know or possess a piece of information without ever revealing the information itself. For interaction with outside partners, this changes the nature of data exchange. Instead of giving a supplier complete inventory data, the system allows the supplier to ask a function-based question, such as "Is the stock level for a specific item above 500 units?" The system provides a simple yes or no answer without exposing the inventory system or precise figures. Similarly, for identity verification, this technology allows a host to prove they meet a specific requirement. For example, they are authorised to access a service without revealing sensitive personal details like name, address, or date of birth. By employing this method, an organisation can ensure that even if an outside partner suffers a successful security breach, the stolen credential only permits querying specific facts, not extracting the underlying raw data. The potential harm from a security compromise involving an outside partner is thus drastically minimised.

Universal Zero Trust for the Entire Ecosystem

The key to long-term resilience against supply chain and third-party risk is to dismantle the artificial divide between "insiders" and "outsiders." The reality of modern business is a fluid ecosystem of employees, contractors, partners, and automated agents.

Treating everyone like a third party is the logical conclusion of Zero Trust. Why should an employee, who may become disgruntled or negligent, be inherently trusted more than a vetted, professional contractor? By applying the same principles of least privilege, least information, and strict access brokerage to every entity interacting with organisational systems, businesses can achieve a uniform and robust security posture.

The days of relying on a strong perimeter are over. Resilience in the interconnected era requires controlling access, limiting information, and verifying intent for every user and every function across the entire extended enterprise.