← Blog

Your vendors can get you breached — third-party risk for small teams

Tenant Strike3 min read

The apps you connect, the IT provider you trust, the contractor with a shared password — any of them can become the door an attacker walks through into your systems.

You can do everything right inside your own business — strong passwords, multi-factor authentication, careful employees — and still get breached through someone else's mistake.

That's the uncomfortable reality of third-party risk. The contractors, apps, and IT providers you connect to your systems are extensions of your attack surface, whether you think of them that way or not.

What 'attack surface' means for a small business

Your attack surface is everything an attacker could potentially use to get in. For most small businesses, that's not just your own logins — it's every app, service, or person with a connection to your systems.

When you authorize a project management tool to access your Microsoft 365 calendar and email, that app has a credential. When your IT provider sets up remote access to your systems, they have a way in. When a freelancer gets added to your SharePoint, they have an account.

If any of those parties get compromised — and the attacker gets the right credentials — they may have a path straight to your environment.

Three scenarios that happen to real small businesses

The overpermissioned app. You connected a scheduling or invoicing tool to your Microsoft 365 a couple of years ago. It asked for access to your email and contacts, you clicked Accept, and you moved on. That app now has ongoing access — possibly to every mailbox in your organization — even if you barely use it anymore. If that software company ever has a breach, that access comes with it.

The IT provider or managed service provider (MSP) compromise. MSPs are companies small businesses hire to manage their IT. They often have administrative access to dozens of clients. That makes them valuable targets. When an attacker compromises an MSP, they don't get one company — they potentially get all of them. This has happened. It's not theoretical.

The contractor's reused password. A contractor who worked with you for six months used the same password on your systems that they use everywhere else. That password shows up in a data breach from some unrelated website. Now someone has a working login to your file shares and email — and you probably have no idea.

What you can actually do about it

None of this requires specialized tools or a security team. It requires a habit.

  1. Make a list of who has access. This includes people (employees, former employees, contractors) and apps (anything connected to your Microsoft 365 or other business systems). Most business owners are surprised how long the list is.
  1. Remove access you don't use anymore. The contractor from two years ago, the app you tried and abandoned, the vendor relationship that ended — their access often stays active long after the relationship ends. Cutting it is low-effort and genuinely reduces your exposure.
  1. Apply least-privilege where you can. This means giving people and apps only the access they actually need. A bookkeeper probably doesn't need admin rights. A scheduling app probably doesn't need to read every email in your organization.
  1. Ask vendors basic questions. If an IT provider or software vendor has significant access to your systems, it's reasonable to ask: Do you use multi-factor authentication (MFA) for your own admin accounts? Do you have a security policy? This isn't aggressive — any reputable vendor expects it.

The part that's easy to miss

Third-party risk is hard to manage without visibility. You can't revoke an app's access if you've forgotten it's connected. You can't ask a contractor to re-authenticate if you don't have a record of the account.

Most of the small businesses that get caught here aren't careless — they just never had a clear picture of what was connected to what.

Tenant Strike scans your Microsoft 365 and Azure environment in read-only mode and surfaces connected apps, permission grants, and access patterns you may not have looked at in months. A five-minute scan tends to find a few things worth cleaning up.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.