ForgeAwareness
Get started
Vendor Security Assessment Training/Course player
0 of 7 complete0%
Module 14 min

Why vendor security is now your problem

TL;DR

Most major breaches in the last two years started at a vendor. The shift means every employee who signs SaaS contracts is now a security gatekeeper, whether they realize it or not.

The shift

In 2010, vendor security meant "do they have a firewall." In 2026, it means "if they get ransomwared, what happens to us?"

The biggest breaches of 2023–2025 weren't direct attacks. They were vendors:

  • Change Healthcare (2024) — broke US prescription processing for weeks; affected nearly every hospital
  • MOVEit (2023) — file-transfer vendor exploit hit 2,700+ organizations including governments
  • SolarWinds (2020, still relevant) — network monitoring vendor compromise reached thousands of customers
  • Okta support (2023) — support session hijacking affected major customers
  • Snowflake customers (2024) — credential reuse against vendor customers, 165+ orgs affected
  • PolyFill.io (2024) — supply chain attack via a small JavaScript library

The pattern: one vendor is breached, hundreds of customers feel it. The blast radius isn't just the vendor; it's everyone the vendor serves.

What this means for you

If you:

  • Sign a SaaS contract
  • Approve a new tool
  • Negotiate vendor terms
  • Manage a vendor relationship
  • Run procurement

You're now part of the security model. You're not expected to be a security expert — but you're expected to:

  • Tier vendors by risk (Module 2)
  • Ask the right questions (Module 3)
  • Read security documentation enough to know if it's substantive (Module 4)
  • Get the right contractual minimums (Module 5)
  • Notice when something changes (Module 6)

What "vendor risk management" is NOT

It's NOT:

  • A 200-question security questionnaire for every vendor
  • A 6-week review for buying a $50/month SaaS
  • A blocker that slows the business

It IS:

  • Tiered scrutiny matching the risk (Module 2)
  • Questions that change vendor behavior vs. checkbox theater
  • Documents that mean something to read
  • Contract terms that matter when something goes wrong

Real case for context

Change Healthcare, 2024 reportedly started because an attacker got valid credentials for a remote access portal that didn't require MFA. That vendor processed 50% of US medical claims. The breach disrupted billions of dollars of healthcare for weeks.

The single missing control: MFA on a remote access portal.

A pre-onboarding security review would have caught that. The cost of asking would have been one email. The cost of not asking, for thousands of customers, was extraordinary.

Knowledge check

Knowledge check 1

Why is vendor security now critical?