Most small businesses do not get breached through a dramatic Hollywood-style attack on their own network. They get exposed through the tools, platforms, agencies, payroll providers, IT companies, accountants, cloud apps, and outsourced services they trust every day.
That is third-party risk. It sounds like a compliance phrase, but it is really a simple business problem: if a supplier can access your data, your systems, your customers, or your operations, their security becomes part of your security.
43% of security leaders now list third-party risk as a top priority. That should not surprise anyone running a small business. Modern companies are built from suppliers, SaaS platforms, integrations, freelancers, processors, and managed services. Your risk does not stop at your front door.
The Part That Feels Unfair
If your payroll provider leaks employee data, your staff will not care that it happened "over there". If your marketing platform exposes customer records, customers will not start by reading the supplier contract. If your MSP account is compromised and attackers use it to access your systems, the operational mess lands on your desk.
Regulators think about it in a similar way. Under EU GDPR and UK GDPR, if you decide why and how personal data is used, you are usually the controller. Many of your suppliers are processors: they handle the data on your behalf. You can outsource the work, but you do not outsource the responsibility to choose processors carefully, put the right contract in place, and keep some oversight.
NIS2 moves the same conversation into cyber resilience. Covered organisations are expected to think about supply chain security, supplier relationships, and the vulnerabilities that come from relying on external providers. Even if you are not directly in scope, your larger customers may push those expectations down to you.
Start With Your Supplier Map
You cannot assess every supplier if you do not know who they are. Most small businesses have more third parties than they think. The obvious ones are IT support, cloud hosting, accountants, HR systems, and payment providers. The less obvious ones are analytics tools, email plugins, CRM integrations, outsourced developers, design contractors, backup providers, AI tools, and old SaaS subscriptions nobody remembers buying.
A useful supplier map does not need to be fancy. A spreadsheet is fine. Capture the basics:
- Supplier name. Include the legal company name and the product or service name if they differ.
- Business owner. Who in your company uses it, pays for it, or would notice if it stopped working?
- Data involved. Customer data, employee data, financial data, confidential documents, credentials, support tickets, source code, or no sensitive data.
- Access level. Can the supplier log in to your systems, administer accounts, connect through an API, or only receive exported files?
- Criticality. If the supplier went down tomorrow, would it be inconvenient, painful, or business-stopping?
- Contract status. Do you have a current agreement, a DPA where needed, and a clear contact for security incidents?
Not Every Supplier Needs the Same Scrutiny
The mistake many businesses make is trying to assess every supplier equally. That turns third-party risk into an admin swamp and guarantees nobody wants to keep it updated.
Prioritise by impact. A cleaning company, a design freelancer, a payroll processor, and a managed IT provider are not the same kind of risk. They may all be suppliers, but they do not all need the same questions.
A practical priority order for most small businesses:
- IT and managed service providers. They often have privileged access and can become a route into everything else.
- Cloud, hosting, backup, and identity providers. These support the systems you rely on to operate and recover.
- Payroll, HR, finance, and payment providers. They handle sensitive employee, bank, tax, and customer information.
- Customer data platforms. CRM, marketing automation, helpdesk, analytics, booking, and e-commerce tools.
- Developers, agencies, and consultants with access. Especially anyone with admin accounts, repositories, production access, or exported datasets.
What To Ask in a Supplier Questionnaire
A supplier questionnaire should be short enough that it gets answered and specific enough to reveal risk. For most small businesses, ten good questions are better than eighty vague ones.
- Do you use multi-factor authentication for admin and remote access?
- How do you control and review privileged accounts?
- How quickly do you apply critical security patches?
- Where is our data stored and processed?
- Do you use subcontractors or subprocessors to deliver the service?
- How do you encrypt data in transit and at rest?
- Do you have an incident response process, and when will you notify us?
- Can you provide evidence such as ISO 27001, Cyber Essentials, SOC 2, or a recent security summary?
- How do you back up customer data, and how often do you test recovery?
- What happens to our data when the contract ends?
The goal is not to catch suppliers out. It is to understand whether they have the basics under control and whether their answers match the level of risk they create for you.
Red Flags Worth Slowing Down For
Most suppliers will not send you a perfect security pack, especially if they are small too. That is fine. What matters is whether they can answer plainly, show evidence, and accept reasonable obligations.
These are the red flags that should make you pause:
- No DPA where personal data is processed. If a supplier handles personal data on your behalf and cannot provide a data processing agreement, that is a serious gap.
- Vague breach notification wording. "We will notify you where appropriate" is weaker than a clear commitment to notify without undue delay and within a defined timeframe.
- No MFA for admin access. Especially concerning for IT support, SaaS platforms, cloud providers, and anyone with privileged access.
- Unclear subprocessors. If they rely on other vendors but cannot explain who they are or where data goes, your risk is hard to understand.
- No patching or vulnerability process. "We update when needed" is not a process.
- Shared accounts. If multiple people use one login, accountability disappears quickly.
- Resistance to basic security questions. A supplier does not need a glossy portal, but they should be willing to explain how they protect your business.
The DPA Is Not Just Legal Paperwork
A Data Processing Agreement is the contract that sets out how a processor handles personal data for you. Under EU GDPR and UK GDPR, it is not optional where a processor is involved. It should cover what data is processed, why, for how long, how it is protected, whether subprocessors are used, what happens at the end of the service, and how the supplier supports you with data subject requests or breaches.
The DPA will not stop a breach by itself. But it gives you leverage and clarity before something goes wrong. It should answer practical questions like:
- How quickly must the supplier tell you about a personal data breach?
- Can they appoint new subprocessors without telling you?
- What security measures are they contractually promising?
- Can you request evidence or audit information?
- How will they delete or return your data when the relationship ends?
If a supplier is high-risk and the DPA is missing, vague, or impossible to understand, fix that before you deepen the relationship.
Make Reviews Part of Buying, Not a Yearly Panic
Supplier risk is much easier to manage at the point of purchase than after a tool is already embedded in your business. Once staff rely on a platform, data has been uploaded, integrations are live, and renewal is due next week, your leverage is weaker.
Build a lightweight rule: no new supplier gets approved until someone answers three questions.
- What data or access will this supplier have?
- How bad would it be if they were breached or unavailable?
- Do we have the right contract, DPA, and security evidence for that level of risk?
That one habit catches a surprising amount. It stops teams quietly connecting risky tools to customer data. It makes procurement less emotional. It also gives you a simple audit trail if a customer, insurer, or regulator asks how you manage supplier risk.
The useful standard is not perfection. It is being able to show that you know which suppliers matter, have checked the highest-risk ones, and have a plan for the rest. That is what separates managed risk from wishful thinking.
The Honest Summary
Your suppliers are part of your security boundary now. That does not mean you need to interrogate every vendor or build an enterprise procurement department. It means you need a clear list, a sensible priority order, a few good questions, and the right contracts for suppliers handling personal data or critical services.
Start with the suppliers who can hurt you most: IT support, cloud, payroll, finance, customer data platforms, and anyone with admin access. Ask practical questions. Look for red flags. Get DPAs in place where personal data is processed. Then repeat the review when the supplier changes, your use changes, or the contract renews.
Third-party risk is not someone else's problem. It is your problem wearing someone else's logo.
Know Which Suppliers Matter Most
Faradome RisQ helps you map supplier exposure, prioritise the vendors that create real risk, and understand where your security posture needs attention before a customer, insurer, or regulator asks.
Start Your RisQ Assessment → Talk to Us