When Partners Become Cybersecurity Risks
When the British retailer Marks & Spencer (M&S) disclosed last year that a supplier breach had unleashed a ransomware attack, it was the kind of nightmare scenario every corporate board dreads.
The incident disrupted logistics, erased more than 750 million pounds (approximately $1 billion) in market value in a matter of days and left executives fending off questions about why third-party controls hadn’t caught the risk. More so, the event was a stark reminder of a hard truth: sometimes, the weakest link in a company’s cybersecurity defenses isn’t the company itself, but a trusted vendor.
Data from PYMNTS Intelligence in the August edition of The 2025 Certainty Project report, “Vendors and Vulnerabilities: The Cyberattack Squeeze on Mid-Market Firms,” reveals that for mid-market firms, this is both a structural challenge and a strategic paradox.
These firms depend on vendors for efficiency, innovation and scale, yet that very reliance multiplies their attack surface. Frequently, attackers compromise a vendor first, then use the trust relationship to infiltrate their target firm. This creates what cybersecurity analysts call the vendor vulnerability paradox: the more deeply firms integrate third-party partners, the more exposed they become.
Why Vendors Have Become the Weakest LinkModern business ecosystems are more interdependent than ever. Cloud providers, SaaS platforms, managed service providers and logistics partners form the digital scaffolding on which mid-sized firms operate.
But each of those partners, no matter how seemingly peripheral, creates a potential point of entry. Attackers understand this, and they play the long game: rather than battering the digital front doors of dozens of mid-sized companies, they target a single vendor whose credentials or software updates offer broad access.
Nearly 4 in 10 fake invoice scams (38%), for example, stemmed from vendor or supplier compromise, while 43% of phishing incidents were linked back to third-party breaches.
What makes these attacks effective isn’t sophisticated code but basic psychology. Cybercriminals exploit trust, urgency and authority to trick employees into authorizing payments or disclosing credentials. As artificial intelligence tools make phishing emails more convincing and deepfake audio more accessible, the manipulation is becoming harder to detect.
Read the report: Vendors and Vulnerabilities: The Cyberattack Squeeze on Mid-Market Firms
For mid-market firms, the vendor problem is acute because they rarely have leverage to demand robust security audits from suppliers. Large enterprises can force vendors to comply with SOC 2 or ISO 27001 standards; mid-market players often lack that bargaining power. Worse, many don’t have systems in place to continuously monitor vendor risk. A once-a-year questionnaire may tick a compliance box but won’t detect a breach unfolding in real time.
Awareness of the threat hasn’t translated into consistent investment. The PYMNTS Intelligence data revealed striking disparities in how much mid-market firms allocate to cybersecurity.
Fifty-seven percent devote just 1–2% of annual revenue to combating social engineering threats, 25% spend 3-5%, while 13% spend less than 1%.
Smaller firms, paradoxically, often spend more proportionally. Among companies with revenues between $100 million and $400 million, more than 60% allocate at least 3%, with 9% spending as much as 6-8%. Larger firms in the $400 million to $1 billion range, by contrast, tend to spend less, with none exceeding the 5% threshold.
This unevenness reflects a lack of consensus—and perhaps confidence—about what constitutes “enough” spending. Is 2% of revenue adequate? Should mid-market firms benchmark against Fortune 500 peers, or are their risk profiles too different?
Cybercriminals are not ideologues; they are opportunists. They go where the defenses are thin, the payouts are significant and the attack surface is broad. Mid-market firms, as the PYMNTS Intelligence study makes clear, embody all three conditions.
The squeeze is tightening. Social engineering exploits human trust, vendors extend vulnerabilities and uneven budgets leave gaps. The choice facing mid-market leaders is stark: treat cybersecurity as a strategic investment now, or face the costly aftermath later.
The post When Partners Become Cybersecurity Risks appeared first on PYMNTS.com.