Third-Party Risk: When Ransomware Walks in Through the Side Door

• by Anthony Orjally
• Advent IM Blog

The Collins Aerospace incident is another reminder that third-party risk is no longer an abstract concept; it is one of the most common ways attackers get inside. In this case, the compromise wasn’t a direct assault on an enterprise perimeter but a ransomware attack that entered via the supply chain. Not only was data disrupted, but demands were made for payment — a pattern that is becoming increasingly common when adversaries exploit vendor access.

For organisations in defence, government, aerospace and critical infrastructure, this is a wake-up call: your own controls may be strong, but the weakest supplier in your chain can still bring you down. Attackers know this. They deliberately target vendors, integrators and service providers because these channels offer indirect access and the potential for wide-scale disruption.

Ransomware as the New Normal in Supply Chain Attacks

When bad actors gain access via a third party, the playbook has shifted. It is not just about infiltration; it is about extortion. Attackers encrypt data, exfiltrate it, and demand payment — often threatening disclosure or operational chaos to increase the pressure. Often they sell the data on anyway, regardless of payment and payment is never a guarantee of getting your data or system back, because after all, they are criminals!

Recent data shows how sharply this trend is growing:

• In 2024, 35.5 % of all breaches were linked to third-party access — a marked increase on previous years.
• 41.4 % of ransomware attacks in that period involved a third party as the infection vector.
• About 30 % of data breaches in 2025 involved a victim’s third-party vendor, double the figure from the previous year.
• Supply chain / vendor attacks overall have doubled in 2025 compared to the previous year’s baseline.

The Collins Aerospace case is just one high-profile example, but the data shows this is systemic.

What Boards and CISOs Should Be Asking

To respond effectively, third-party assurance needs to move away from being a compliance afterthought and into the heart of risk governance. Some critical questions:

• How well do we really know our suppliers? A simple questionnaire will not uncover systemic weaknesses, poor patching discipline or inadequate incident response.
• Do we have genuine visibility of risk? Controls must be monitored continuously, not once a year. Contracts should include audit rights, breach notification obligations and real consequences for non-compliance.
• Have we contained the blast radius? Zero trust principles apply as much to suppliers as they do to internal users. If a partner’s access is compromised, it should not provide open doors into your network.
• Where does the risk end? Tier one suppliers are only the start. Sub-contractors, integrators and cloud services are all part of the same expanded attack surface.

The Broader Business Impact

This is not just an operational concern for security teams. A breach via a third party can:

• Damage brand and reputation.
• Trigger regulatory fines and scrutiny.
• Create systemic impact across critical infrastructure.
• Expose you to cross-liabilities from partners, regulators and customers.

The Collins Aerospace incident should reinforce the message that attackers will continue exploiting supply chains until organisations stop treating third-party risk as a tick-box exercise. Ransomware and extortion have amplified the stakes, making this as much a board-level issue as an operational one.

Third-party risk is enterprise risk. Treating it with the same seriousness as internal controls is now essential for resilience. That means deeper due diligence, continuous monitoring, enforceable contractual measures, and above all, designing networks and processes to withstand compromise when (not if) it occurs.

The breach pathway is no longer just the front door. Increasingly, it’s the supplier side door — and too often, it comes with a ransom note attached.

Written by Ellie Hurst, Commercial Director.