Third Party

What does "third party" mean in a business context?

A third party is any entity outside your own organization that your business depends on to operate. The term is deliberately broad. It covers IT vendors providing software and cloud infrastructure, suppliers delivering raw materials or components, contractors performing specialized services, and business partners with whom you exchange data.

What defines a third party is not the type of service they provide. It is the existence of a relationship that creates mutual dependency and, in most cases, some form of shared digital access.

The term maps to the structure of the primary business relationship. Your organization is the first party. Your customer is the second party. Anyone your organization brings in to support operations is a third party. To your customers, you are a third party. Every organization in a supply chain occupies both roles simultaneously.

How is "third party" different from "vendor," "supplier," or "contractor"?

Third party is the umbrella term. Vendor, supplier, and contractor describe specific types of third parties, and different industries tend to use different words for the same underlying concept.

• Vendors provide finished products or services that an organization consumes directly: software platforms, cloud services, payment processors, logistics providers. The word vendor is most common in financial services, healthcare, and technology contexts.
• Suppliers provide the raw materials, components, or inputs required to create a product. The distinction between vendor and supplier matters in manufacturing, wholesale, and retail, where a supplier might provide physical goods that go into something your organization produces.
• Contractors are third parties that perform specialized work under a defined agreement, often with direct access to internal systems or physical facilities. Public sector organizations tend to use "contractor" rather than vendor and may refer to first-tier, second-tier, or Nth-tier subcontractors.

For cybersecurity purposes, the distinction between these types matters less than the access each one has. A supplier with no system access is a different risk profile than a software vendor embedded in your production environment.

Why do third-party relationships create cyber risk?

Third-party cyber risk arises because access is shared. When your organization deploys a vendor's software, grants a contractor access to your network, or integrates a supplier's systems with your own, you extend your attack surface beyond your direct control. An attacker who cannot breach your perimeter directly may find the same data or systems accessible through a less-protected third party.

Black Kite research shows that when a single vendor is compromised, the breach creates an average of 5.28 downstream victim organizations. The SolarWinds breach demonstrated this at scale. Attackers compromised a software update mechanism used by thousands of organizations, reaching government agencies and major enterprises without ever targeting those organizations directly. The MOVEit breach similarly propagated across hundreds of organizations through a shared file-transfer vendor.

The risk is structural. Modern organizations average hundreds to thousands of active third-party relationships, and each one is a potential entry point. Managing that exposure requires understanding not just which third parties you use, but how they are secured and how risk from one can cascade to others. This is the foundation of third-party cyber risk management as a discipline.

What does a third-party ecosystem look like in practice?

The third-party ecosystem is the full network of external organizations that touch your business in any meaningful way. For a mid-sized enterprise, this might include dozens of SaaS platforms, managed service providers, payroll and HR vendors, legal and financial services firms, logistics and shipping partners, and the software development tools used by your own engineering team.

Beyond these direct relationships sit the fourth parties: the vendors your vendors depend on. You did not choose them, you may not know who they are, and you have no direct contract with them. But if a fourth party supporting your payroll vendor is breached, the impact can still reach you.

Understanding the full ecosystem requires more than a vendor list. It requires vendor inventory management that centralizes third-party relationships, organizes them by risk tier, and gives teams a complete picture of who is in their ecosystem.

How do organizations manage third-party cyber risk?

Third-Party Cyber Risk Management (TPCRM) is the structured practice of identifying, assessing, and continuously monitoring the cyber risk that third-party relationships introduce. It is a subset of broader TPRM, which also covers financial, operational, legal, and reputational risk. Black Kite focuses on the cyber component: the exposure that lives in code, credentials, configurations, and connections.

Effective third-party cyber risk management includes evaluating vendors before onboarding, assigning risk tiers based on the sensitivity of the access each vendor has, monitoring those vendors continuously for emerging threats, and maintaining a documented response process for when a vendor is compromised. A one-time questionnaire or annual review is not sufficient for vendors with critical access. The threat environment changes continuously, and so does each vendor's security posture.

The cyber risk monitoring platform Black Kite provides gives security teams ongoing visibility into the technical risk posture of their vendor ecosystem. Teams do not have to wait for an incident to discover what changed.