Verizon's 2024 DBIR found a 68% increase in third-party breaches. The structural problem is that you can harden your own systems but not your vendors' systems, and the IS governance literature has not caught up to what that means.
I have been sitting with the Verizon 2024 DBIR third-party finding since it was published. The number is 15% of breaches involved a third-party vendor or partner, published at https://www.verizon.com/business/resources/reports/dbir/, and that represents a 68% increase from the prior reporting period. "Third-party risk" is one of those phrases that gets used so often it starts to feel like it explains something when it mostly labels something. I want to try to explain it, because the 68% increase is not a mystery. It is the predictable result of two trends that have been running in parallel for years, and the IS governance response to those trends has not kept pace.
The first trend is that organizations have been aggressively expanding their vendor relationships. Cloud providers, managed service providers, SaaS platforms, payroll vendors, logistics partners, and dozens of other third-party relationships now touch sensitive organizational data that would previously have stayed inside a perimeter the organization controlled. The second trend is that attackers have been learning that vendors are a more efficient entry point than target organizations. If you can compromise a vendor whose software runs inside a thousand organizations, you have a thousand potential breach opportunities from one successful attack. The economics of that are compelling from an attacker's perspective, and the DBIR data suggests attackers are acting on it.
SolarWinds is still the clearest illustration of what that logic produces. In 2020, attackers compromised SolarWinds' software build process and inserted malicious code into a routine update for the Orion network monitoring platform. Around 18,000 organizations installed that update. Several hundred, including multiple federal agencies and large enterprises, were then used for further exploitation. The breach was not in the target organizations. It was in their vendor's software delivery pipeline. Every organization that ran a patched, up-to-date version of SolarWinds Orion was the vector of compromise. The thing you are supposed to do was the attack.
MOVEit in 2023 followed the same structural logic. A SQL injection vulnerability in MOVEit Transfer, a widely used managed file transfer product, allowed attackers to hit hundreds of organizations across government, healthcare, finance, and higher education in a single coordinated campaign. Because MOVEit is used at scale for compliance-driven data movement, a single unpatched vulnerability became a multi-sector breach event. Verizon's 2024 numbers carry the footprint of that campaign in the third-party category. And in early 2024, the XZ Utils backdoor, a carefully planted supply chain compromise in a compression utility used across Linux distributions, revealed that the attack surface extends beyond commercial software to open-source dependencies that most organizations do not systematically track.
I want to bring institutional isomorphism into this analysis, because I think DiMaggio and Powell (1983) describe exactly what is happening in third-party risk management at most organizations. Their theory argues that organizations adopt practices not necessarily because those practices are effective, but because adopting them makes the organization look legitimate and normal relative to its peers and to regulatory expectations. Mimetic isomorphism, one of the three mechanisms they identify, describes how organizations imitate peers when they are uncertain about what the right practice is. Coercive isomorphism describes how regulatory pressure drives adoption of specific forms even when the substance behind them is weak.
Third-party risk management in most organizations is a textbook case of isomorphic adoption without genuine capability. Organizations run annual vendor security questionnaires because their peers do and because regulators expect it. The questionnaire is the form. What it actually produces, a completed document from the vendor attesting to security practices, bears little relationship to whether the vendor's build pipeline is secure against a sophisticated adversary. SolarWinds passed vendor security assessments at many of the organizations it supplied. The form was present. The substance was not. That is mimetic isomorphism in the security context: the practice looks right from the outside and satisfies the audit requirement, but it is not functionally connected to the actual risk.
The structural problem is that information security governance has historically been organized around perimeter control. You define what you own, you apply controls to that perimeter, and you assess risk within it. Third-party relationships challenge that model because they extend your attack surface into environments you do not control and often cannot audit at the level of detail that would reveal a supply chain compromise. Your annual vendor questionnaire does not detect a rogue commit in an open-source library your vendor depends on. Your penetration testing does not reach your managed service provider's internal systems. Your security information and event management platform does not ingest logs from your cloud backup vendor's environment.
The Secure Software Development Framework, published by NIST at https://csrc.nist.gov/Projects/ssdf, addresses the technical side of the software supply chain problem. It describes practices for securing the software development lifecycle: protecting the build environment, using verified tools, reviewing and testing code for vulnerabilities, and maintaining integrity verification for software components. Adoption of SSDF has increased since SolarWinds made software supply chain attacks front-page news. But framework adoption by software producers does not automatically benefit the organizations consuming that software, because most consuming organizations do not have the capacity to verify that their vendors are implementing the framework correctly. The framework requires trust in vendor self-reporting, which is precisely the kind of trust that supply chain attacks exploit.
Gartner projects worldwide information security spending at 13 billion for 2025, at https://www.gartner.com/en/newsroom. A substantial portion of that goes toward internal controls: firewalls, endpoint detection, identity management, SIEM platforms, penetration testing. Those investments are not wasted, but they address a shrinking fraction of the total attack surface as the third-party portion grows. The 13 billion is largely being spent inside the perimeter at a time when more and more breaches start outside it. That misalignment between where money goes and where risk originates is a governance problem that spending numbers alone cannot fix.
What worries me as an IS researcher is that the gap between framework and practice in third-party risk management is not being studied the way it should be. The frameworks recommend tiering vendors by criticality, conducting detailed audits of high-risk vendors, and reviewing security posture continuously. The practice is more often an annual questionnaire that vendors complete themselves, a contract clause that allows audits but is rarely exercised, and vendor tier assignments that were made years ago and have not been updated after the vendor expanded its data access. That gap between the ostensive routine (what the policy says) and the performative routine (what people actually do) is a governance failure that produces real breach exposure. It is also exactly the kind of research question that IS researchers should be answering with organizational data, not leaving to security vendors who sell solutions to it.
The 68% year-over-year increase in third-party-involved breaches suggests the trend is accelerating, not plateauing. Attackers are rational actors in an economic sense. They concentrate effort where the return is highest. A vulnerability in a widely deployed vendor product produces hundreds of breach opportunities per campaign. Targeting individual organizations one at a time is far less efficient. Until the governance structures around vendor relationships develop genuine capability rather than isomorphic form adoption, the third-party breach percentage will likely keep climbing. Fourteen percent in 2023. Fifteen percent in 2024. The direction is clear.
---
claims_checked:
- "15% of breaches involved third parties, 68% increase from prior period": "https://www.verizon.com/business/resources/reports/dbir/"
- "Information security spending 2025: 13 billion (Gartner)": "https://www.gartner.com/en/newsroom"
- "NIST Secure Software Development Framework": "https://csrc.nist.gov/Projects/ssdf"
- "Institutional isomorphism, DiMaggio and Powell 1983": "foundational IS/organizational theory, no URL required"
- "SolarWinds 2020: approximately 18,000 organizations installed malicious update": "widely documented by CISA and congressional testimony; consistent across public sources"
- "MOVEit 2023: SQL injection vulnerability in managed file transfer product": "publicly documented; consistent with DBIR 2024 attribution"
- "XZ Utils backdoor 2024 in open-source compression utility": "publicly documented supply chain incident"
claims_unverified:
- "SolarWinds passing vendor security assessments at affected organizations: widely reported claim; not cited to a specific audit finding in this session; hedged as observational"
- "Third-party percentage year-over-year trend (14% to 15%): directional framing based on DBIR trend language; specific prior-year percentage not directly fetched"
sources_used:
- "https://www.verizon.com/business/resources/reports/dbir/"
- "https://www.gartner.com/en/newsroom"
- "https://csrc.nist.gov/Projects/ssdf"
word_count: 1100
About the author
Share
More notes
Related notes