Your Vendor Is Your Attack Surface

There's a question I ask every prospective client during our first conversation, and the answers are almost always the same. I ask them to name every piece of software their team uses to do their jobs. Not just the obvious stuff — Microsoft 365, their practice management system — but everything. The e-signature tool. The client portal. The invoicing platform. The thing they're pretty sure accounting signed up for last year.

Most people can get to eight or ten. The actual number, once we dig in, is usually closer to twenty-five.

Every one of those is a door.

The cybersecurity conversation for small businesses has gotten a lot better over the last few years. Firms are taking MFA seriously. Password hygiene is improving. M365 security configurations that were being ignored in 2021 are getting attention now. That's all good.

What hasn't caught up is third-party risk; the idea that your security is only as strong as the weakest vendor you're quietly handing your data to.

Here's what I mean. In 2024, Change Healthcare — a company that processes roughly half of all U.S. medical claims — got hit with ransomware. The attackers didn't break through some exotic zero-day. They used stolen credentials to get into a Citrix portal that didn't have multi-factor authentication enabled. The downstream impact hit thousands of healthcare providers, including small practices that had never heard of Change Healthcare and had no idea they were exposed through it.

That's the pattern. A vendor you depend on, with security practices you've never reviewed, becomes the entry point into your world.

For professional services firms, the exposure is specific and serious. Think about what your vendors actually touch.

Your e-signature platform has copies of executed agreements, potentially including wire transfer instructions, property details, or confidential terms. Your cloud storage integrations have client documents. Your billing software has financials. Your scheduling tool, if it integrates with your calendar, has context about who you're meeting with and when.

None of that is hypothetical. Every category I just listed has seen a notable breach in the past two years.

The problem isn't that these tools are bad. Most of them are perfectly fine. The problem is that when a vendor gets hit, you don't get to opt out of the consequences just because the breach wasn't your fault. Your clients don't experience a distinction between "we got breached" and "our vendor got breached." The letter you have to send them looks the same either way.

So what do you actually do about it?

Start by building a real list. Not from memory. Review your credit card statements and your email to find every SaaS subscription, every app your team uses, every integration that touches client data. That inventory is the foundation of everything else.

Once you have the list, the questions get simpler. Does this vendor have a published security page or trust center? When did they last run a SOC 2 audit, and can you see the report? What happens to your data if you leave, or if they go under? Is MFA available, and is it enforced?

You're not doing a full vendor security assessment on every tool; that's not realistic for a 15-person firm. But the vendors that touch your most sensitive data deserve more than a blind trust relationship built on the fact that someone signed up for them three years ago.

The third thing is offboarding discipline. Vendor risk isn't just about the tools you're actively using. It's also about the tools you stopped using but forgot to deactivate. Former employees whose accounts still have access to a vendor portal you've been ignoring. An API integration that still has read access to your client list even though the contract ended eight months ago.

I'll be honest with you: this isn't the most exciting part of running a secure operation. It doesn't have the drama of endpoint protection or the urgency of an active phishing campaign. It's administrative, and it's tedious, and it's easy to defer.

But vendor risk is where a lot of firms are quietly exposed right now, because they secured their own environment while assuming someone else was securing theirs.

If you want to know where you actually stand, the vendor inventory and review process is something we work through with clients as part of ongoing management under Athencia One Complete, ensuring it gets done systematically rather than whenever someone remembers to think about it.