Could Your Suppliers Be Your Biggest Cyber Security Risk?

• Share on
• 
• 
• 

Your accountant accesses your finance system. Your payroll provider handles staff data. A marketing agency manages your website and social accounts. Each one has a trusted route into your business, and that’s exactly what makes them a target.

Cyber attacks often start not with a break-in, but through a supplier account that already has legitimate access. Supplier cyber security risk is one of the least-reviewed threats SMEs face.

The good news: it’s manageable. You need to know who has access, what they can see, whether it’s properly protected, and whether old access gets removed when work ends.

Why supplier access matters

Problems emerge when access is:

• Too broad — a marketing agency that needs one folder ends up with permission to view wider company documents
• Left open — a freelancer who finished a project six months ago still has a login because no one removed it
• Shared — a supplier using a shared account means you can’t see who accessed what, or when

SMEs often have fewer formal processes than larger organisations. Access gets granted quickly to get work done, then rarely reviewed. When staff are busy, checking third-party access doesn’t feel urgent. That’s exactly why it gets missed.

If a supplier account is compromised, an attacker doesn’t need to break through your front door. They already have a trusted route inside, and the activity looks legitimate.

Which suppliers to review

Start with anyone outside your business who can log in, view data, change settings, process payments, or download files. Split them into three groups:

• High access: IT support, accountants, payroll providers, anyone with admin rights, financial access, or employee/customer records. Check these first.
• Medium access: suppliers with limited folder or project-based access.
• Low access: suppliers with no access to systems or sensitive information.

Pro tip: Build a simple spreadsheet with each supplier’s name, main contact, systems they can access, whether they use MFA, contract end date, and the person inside your business who owns the relationship. A spreadsheet beats relying on memory or old email threads.

The risks SMEs usually miss

Accounts that stay active after work ends. A freelancer finishes a project. A consultant sets up a system. Six months later, their login still works. This is one of the most common and avoidable gaps.

Shared passwords. If several people use the same supplier account, you can’t see who logged in or what they changed. Named accounts are safer, and make offboarding far cleaner.

No multi-factor authentication. A password alone isn’t enough. If a supplier account can access your email, Microsoft 365, finance tools, or website, it needs MFA. It’s one of the simplest controls to implement and one of the most often skipped for third-party accounts.

Unclear subcontractor access. Some suppliers use their own subcontractors. That may be fine, but you should know who has access to your data.

Poor offboarding. When a contract ends, access should be removed from Microsoft 365, shared folders, website admin, finance platforms, CRM systems, and password managers. Without a checklist, things get missed.

Pro tip: Set a calendar reminder to review supplier access every quarter. Ask: does this supplier still work with us? Do they still need access? Is there an old account to remove?

Questions to ask your suppliers

You don’t need lengthy security questionnaires. Start with these, and record the answers:

• Who can access our data? Which people or teams can access your files, systems, or records? If they can’t give a clear answer, that’s a concern.
• Do you use multi-factor authentication? Any account with access to your systems should have MFA.
• Do you use subcontractors? You should know who they are and whether they can access your data.
• How quickly would you notify us of a breach? Vague answers like “as soon as possible” aren’t useful. Ask for specifics.
• What happens when your staff leave? Their access to your systems should be removed quickly. This tells you whether the supplier has proper offboarding.
• Where is our data stored? UK, Europe, or elsewhere? In their systems or a cloud platform? This matters for financial records, staff data, and client information.
• Can access be removed quickly when the contract ends? Ask how removal happens and how fast it can be done.

Pro tip: For Cyber Essentials certification, supplier access is worth reviewing as part of your preparation. It touches secure configuration, access control, and malware protection, several of the core areas the scheme covers.

Practical steps

These practical steps reduce supplier cyber security risk without making third-party relationships difficult.

• Keep a supplier access list. Know who has access, to what, and at what level.
• Use named accounts. Each person at a supplier should have their own login, not a shared one.
• Require MFA. Especially for email, Microsoft 365, finance tools, payroll, CRM, and website admin.
• Remove access when work ends. Don’t wait for a problem to prompt it.
• Keep independent backups. If a supplier account is compromised, files could be deleted or encrypted. Backups that are separate from the systems they protect give you a recovery option. The NCSC has practical guidance on backups worth reviewing.

How Operum Tech can help

Supplier relationships don’t need to be a security liability. With the right controls in place, you get the flexibility of working with external partners and the confidence of knowing exactly who can access what.

Operum Tech can review your Microsoft 365 permissions, set up MFA, remove old accounts, and tighten third-party access across your systems. We can also check your backup setup and, if you’re working towards Cyber Essentials, guide you through the parts that touch supplier access.

Get in touch and we’ll start with a straightforward review.