UtopianKnight Consultancy – James Griffiths

STRATEGIC | TECHNICAL | ADVISORY | AI | DEVELOPMENT | vCTO | CYBER | ICS & OT

, , ,

Third-Party Risk Is Still Everyone’s Blind Spot

·

by

UtopianKnight

Questionnaires are theatre. Real risk reduction looks very different.

Third-party risk keeps showing up in breach reports, regulator findings, and insurance claims. Yet most organisations still manage it with long questionnaires, annual reviews, and a false sense of control.

This is not a tooling problem. It is a thinking problem.

If your third-party risk programme is built around self-attested questionnaires, you are measuring compliance theatre, not real exposure. Attackers do not care how many boxes a supplier ticked last year. They care about access paths, weak identities, exposed systems, and slow detection.

This article explains why questionnaires fail and what actually reduces supplier risk in practice.

Why questionnaires became the default

Questionnaires are popular because they are easy to scale, easy to evidence, and easy to defend during audits.

They also give comforting outputs:

  • Heatmaps
  • Risk scores
  • Completion percentages
  • “Reviewed annually” statements

From a governance perspective, they look mature. From a security perspective, they are mostly noise.

The core problem is simple. Questionnaires measure what suppliers say about themselves, not how they actually operate.

The uncomfortable truth about supplier questionnaires

Most suppliers answer questionnaires defensively, not honestly.

Common patterns include:

  • Copy-and-paste policy language
  • Aspirational answers rather than operational reality
  • “Yes” answers qualified by exceptions you never see
  • Outdated responses reused year after year

This is not because suppliers are malicious. It is because they are busy, under commercial pressure, and optimising for contract approval.

Worse, questionnaires rarely focus on what actually matters for your organisation. They ask generic questions that look good to auditors but have little predictive value for breach risk.

A supplier can pass a questionnaire and still be your biggest exposure.

What actually causes third-party incidents

If you look at real incidents involving suppliers, a few themes keep repeating:

  • Compromised credentials used to access customer environments
  • Over-privileged third-party accounts
  • Poor segregation between supplier customers
  • Unmonitored remote access tools
  • Delayed breach notification

None of these are reliably identified by questionnaires.

Attackers do not exploit missing policies. They exploit trust relationships and technical access.

Third-party risk is mostly an access problem

The most important question to ask about any supplier is not “Are you ISO certified?”

It is:

What access do they have, and how is it controlled?

This includes:

  • Network access
  • Identity and authentication methods
  • API access
  • Administrative privileges
  • Data access paths

If a supplier has persistent access into your environment, your security posture is now partly theirs.

Many organisations dramatically underestimate how much access suppliers really have, especially legacy vendors and IT service providers.

Why annual reviews are meaningless

Annual reviews assume risk is static. It is not.

Supplier risk changes when:

  • They add new staff
  • They outsource work
  • They adopt new tools
  • They experience an incident
  • They are acquired
  • They cut costs

An annual questionnaire captures none of this in time to matter.

Attackers move faster than your review cycle.

What actually reduces supplier risk

If questionnaires are theatre, what works?

The answer is less glamorous and more operational.

1. Minimise and design supplier access properly

Start with access design, not paperwork.

Practical steps:

  • Remove standing access wherever possible
  • Use just-in-time access with expiry
  • Enforce strong MFA for all third-party users
  • Separate supplier access by role and function
  • Block shared or generic accounts

If a supplier is compromised, this limits blast radius immediately.

2. Treat supplier identities as high-risk identities

Third-party identities should be treated differently from internal users.

That means:

  • Stronger authentication requirements
  • More restrictive conditional access
  • Enhanced logging and alerting
  • Faster access reviews

Most organisations do the opposite. They trust suppliers too much and monitor them too little.

3. Monitor behaviour, not declarations

Real risk management is about detecting abnormal behaviour.

This includes:

  • Unusual login locations or times
  • Access outside agreed scopes
  • Excessive data access
  • Privilege escalation
  • API abuse

If you are not monitoring how suppliers actually use access, you are blind.

4. Segment suppliers from each other

Suppliers should never be able to impact multiple customers or environments through a single compromise.

This requires:

  • Strong tenant separation
  • Network segmentation
  • Identity scoping
  • Environment isolation

Many high-impact incidents occur because one supplier breach cascades across multiple clients.

5. Focus deep assessment on the few suppliers that matter

Not all suppliers carry equal risk.

Instead of sending the same questionnaire to everyone:

  • Identify suppliers with material access or data
  • Perform deeper technical and operational reviews on those
  • Keep low-risk suppliers lightweight

This is more defensible and far more effective.

6. Test assumptions, do not just accept answers

Where risk is high, validate claims.

This can include:

  • Evidence of access controls
  • Walkthroughs of incident response processes
  • Architecture reviews
  • Contractual right-to-audit clauses

You do not need to audit everyone. You do need to verify the suppliers that could materially hurt you.

Contracts matter more than questionnaires

Many organisations try to fix third-party risk after the contract is signed. That is too late.

Contracts should clearly define:

  • Security responsibilities
  • Breach notification timelines
  • Access requirements
  • Sub-processor controls
  • Termination and exit obligations

Without this leverage, questionnaires are just polite requests.

The role of regulation and guidance

Regulators have been signalling this shift for years. Guidance from bodies such as National Cyber Security Centre consistently emphasises supply chain security, access control, and continuous risk management.

The direction of travel is clear. Tick-box supplier management is not enough. Organisations are expected to understand and manage real dependencies.

Insurers are also catching on. Many now ask detailed questions about third-party access and monitoring, not just certifications.

Why this is still a blind spot

Third-party risk sits awkwardly between teams.

  • Security wants control
  • Procurement wants speed
  • Legal wants standard terms
  • The business wants delivery

Questionnaires survive because they offend no one and slow nothing down. Unfortunately, they also stop very little.

Real third-party risk management requires saying no, limiting access, and sometimes changing how suppliers work. That is uncomfortable. It is also necessary.

The bottom line

Third-party risk is not solved by better questionnaires.

It is reduced by:

  • Designing access properly
  • Treating supplier identities as high risk
  • Monitoring behaviour continuously
  • Focusing effort where it matters

Questionnaires can still play a role. But they should be evidence, not the foundation.

If your supplier risk programme would still look the same after a supplier breach, it is not fit for purpose.

Attackers already understand your blind spot. It is time defenders caught up.