When CISOs, third-party risk managers, and supply chain leaders look at cyber risk in their ecosystem, the tendency is to focus on the bigger, broader, more generalized partners. Looking at the big providers such as Google, Amazon EC2, Microsoft, Salesforce, etc. at first makes a lot of sense. After all, they are the 800-pound gorillas in third-party ecosystems: they are used by virtually every company, agency, and organization across the world and of course as a result, their risk to your organization is or can be significant.

But, and this is a big but, most of your partners are probably not the gorilla. Maybe they are the Superb Starlings, small but beautiful. Not rare, but important to the ecosystem of western Africa.

Or maybe they are the leopard, hunting alone, dependent on no other animals, always looking for their next meal. Perhaps they are the hyena, who do in fact make a creepy sound that sounds like a laugh, who wait for other predators to make a kill before they swoop in and steal the hard-won meal from the tired and outnumbered big cat. And yes, that hyena is cute, but they are the jerks of the savannah – ask Simba.

But I digress.

Back in December a breach was announced at SevenRooms. If you’ve never heard of them, I wouldn’t be surprised. They are a small SaaS provider that has a niche in hospitality. They are one of the go-to’s in hospitality. They are small. They are critical. And they have your data if you’ve stayed or dined at a hotel or restaurant that uses their platform. They are not an 800-pound Gorilla, but back in December they were the victim of a cyberattack.

They lost 427 GB of data including a lot of PII. And the SevenRooms systems weren’t directly breached – it was a third-party company they used for data transfer (whose name I couldn’t even find).

If you’ve stayed or dined at one of their customers, your data is out there and it’s not because a big partner got breached. Your data is out there because a small company in someone’s extended third-party ecosystem who according to the Black Kite platform does a pretty good job on security, does business with a partner that doesn’t.

Other than giving me an opportunity to show off some of my pictures from my African Safari this past summer, I wrote this missive to make a point. Don’t just focus on your big third parties. Make sure you look at all your third parties … and their partners … and their partners, etc. I am fairly sure most of the folks whose data is now out there had zero idea that SevenRooms had their data in the first place … and now the hackers do too.

Stay Safe, Stay Healthy, Stay Secure.

Wheatman Out!