As firms scale faster with outsourced tech, many are quietly losing control—and sometimes, everything else too
The apps, platforms, and cloud systems that keep businesses humming are mostly invisible to the average user. But they aren’t invisible to hackers. And increasingly, they’re not invisible to executives waking up to find their entire operations stalled by the failure of someone else’s code.
For years, companies saw technology as just another tool in the shed. Hire a vendor, plug in the software, watch the numbers tick up. But that’s no longer the world we live in. Today, most organizations are only as resilient as the least secure third-party tech they rely on.
What Happens When the Backbone Breaks?
Ed Williams of Trustwave describes the current state bluntly: “It’s brittle.”
And he’s not wrong. Businesses of all sizes—from high street retailers to multinational banks—depend on a maze of APIs, SaaS tools, and cloud integrations to function. But ask most executives where those systems are hosted, how they’re secured, or how often they’re patched, and you’ll likely get a shrug.
Until something breaks.
In 2023, a single outage at Okta, an identity service provider, left dozens of clients—including major healthcare systems—unable to log in for hours. Earlier this year, the MOVEit file transfer breach affected hundreds of companies, exposing sensitive data from government agencies to financial firms.
Outsourcing Control, One Vendor at a Time
It’s easy to see how this started.
Outsourcing tech infrastructure makes economic sense. Hiring engineers, building platforms in-house, and keeping 24/7 uptime is expensive. Cloud-based vendors promised a faster, cheaper route.
And for the most part, they delivered:
-
Fast integration
-
Scalable operations
-
Lower upfront costs
But this speed comes with trade-offs. Control is diluted. And as platforms layer over one another—Slack talking to Zoom, Zoom feeding into Salesforce, Salesforce syncing with Stripe—the organization becomes one massive daisy chain of interdependence.
The Risk Isn’t Always Obvious—Until It Is
What makes third-party tech risk so dangerous is how quietly it creeps in.
One system might power your email sign-ins. Another hosts your payment gateway. A third manages CRM records. You barely notice them—until they go dark.
This isn’t just a tech issue. It’s a business continuity issue. It’s a public trust issue. One moment of downtime can lead to:
-
Lost revenue
-
Angry customers
-
Regulatory penalties
-
Damaged brand reputation
And you might not even be at fault.
Industry Impact: One Glitch, Thousands of Casualties
Here’s where it gets real. When third-party systems fail, the blast radius is often enormous.
In 2021, a software flaw in Kaseya, a remote management tool used by IT providers, enabled a ransomware attack that hit over 1,500 businesses. Supermarkets in Sweden were forced to close. Clinics couldn’t access patient records. Travel agencies lost days of bookings.
No one could’ve predicted that a small IT vendor could halt entire industries, but that’s the reality of today’s digital dependence.
Here’s a quick look at recent high-profile tech failures and their cross-industry consequences:
Incident | Vendor Involved | Industry Impacted | Consequence |
---|---|---|---|
MOVEit Breach (2024) | Progress Software | Gov, Finance, Insurance | Mass data exfiltration |
Kaseya Ransomware (2021) | Kaseya | Retail, Healthcare | Global outage, ransom demands |
Okta Outage (2023) | Okta | Tech, Health, Logistics | Widespread login issues |
SolarWinds Hack (2020) | SolarWinds | Government, Enterprise | Nation-state level data breaches |
The names may change. The pattern doesn’t.
A Growing Call for Due Diligence—and Accountability
CISOs and CIOs are starting to push back.
Many are now asking vendors for:
-
Detailed security audits
-
Software bill-of-materials (SBOMs)
-
Penetration testing results
-
Disaster recovery plans
But here’s the catch—smaller vendors often can’t provide these. Or worse, they overpromise and underdeliver.
Williams argues that third-party assessments should become part of routine procurement, not an afterthought. “Too many organizations still treat tech risk as a box to check, not a threat to manage.”
And yet, many contracts don’t even include breach disclosure timelines. When something does go wrong, the customer might be the last to know.
What Businesses Can Actually Do About It
There’s no perfect solution. But there are better practices.
-
Map your dependencies: Know which systems are critical and who owns them
-
Create vendor risk tiers: Not every tool needs the same level of oversight
-
Simulate outages: Practice how your team would respond if vendor X went offline
-
Push for transparency: Demand uptime SLAs, security docs, and audit access
Still, even the most rigorous oversight can’t eliminate risk. It can only reduce it.
And let’s be honest—some companies won’t make the effort until the next big outage hits them.