Published on 15 June 2026 · by Qubit Technologies
The supplier that sinks you without anyone touching you
Many attacks do not come through your front door, they come through a supplier's. The access you gave your accountant, an update from trusted software or the data you keep in someone else's house can turn a third party's security into your problem.
You can have your company well locked down, with passwords in order, systems patched and your people trained. Even so, you can end up in the hands of an attacker who never knocked on your door, because they came in through someone else’s.
Most companies that suffer a breach today are not the initial target. They are the final destination of an attack that started somewhere else, with someone you work with every day without giving it a thought.
The access you granted and no one took back
Your accountant logs into your systems to run payroll. The company that maintains your software has a remote connection left open. The supplier who installed your cameras kept a line in for support. Each of those doors is convenient, often necessary, but it is also a key to your house sitting in someone else’s hands.
If that supplier gets attacked, that key passes to the attacker. They do not need to force anything of yours, they just use the access you handed over yourselves, access that has often been open for years, with more permissions than it needs and with no one reviewing it.
The trusted update that brought a guest
You install a program from a serious vendor. Every so often an update arrives, you apply it without a second thought, because that is what you paid a trusted name for. That is exactly the mechanism an attacker wants to use.
If they manage to slip into the software vendor, they can put their own code into the next legitimate update. You install it as normal, signed and verified, without a single alarm going off. You opened the door yourselves, convinced you were doing the right thing.
This is not science fiction. It has happened with widely used software, in attacks that hit thousands of companies at once, all of them trusting the same supplier.
Your data living in someone else’s house
You keep more and more outside your own walls. The invoicing on an online platform, the email in the cloud, the customer data in a supplier’s system. While it works, it is wonderfully convenient. The problem shows up when whoever holds all of that gets attacked.
Then your data leaks without anyone having touched a single machine of yours. The breach is someone else’s, the headline and the fine can end up being yours, because in the eyes of the law the one responsible for that data is still you, not the supplier who lost it.
Why the third party is the easier way in
An attacker who means business studies who you work with before coming for you. It pays off more to attack the small accountant who handles fifty companies than to go after them one by one. One hit, fifty victims.
You can be the best protected company on the list. It makes no difference, because the attacker is not looking for the strongest, they are looking for the easiest way to reach you. That way almost never runs through your front door, it runs through the door of someone weaker who has access to your house.
What you can do about it
This is not about distrusting everyone or refusing to work with anyone. It is about knowing who you have given a key to and what they can open with it.
Start by knowing who has access to your systems from outside, with what permissions and since when. Each supplier should only reach what they need, nothing more, with access that expires once it is no longer required. A connection a supplier no longer uses is not a convenience, it is an open door waiting for someone to find it.
It is also worth asking. Before you give a third party access or leave your data in their systems, you have every right to know how they protect it. A serious company will tell you without any trouble. The one that gets uncomfortable with the question is already telling you something.
Your security does not end at the edge of your company. It reaches as far as the security of every supplier with access to your house, which is exactly what an attacker looks at first when studying you, as we covered in what an attacker learns about your company. Looking at who holds your keys is part of genuinely auditing your security.
If you want to know which suppliers have access to your systems and what risk they pose, write to us at [email protected].