An e-commerce business had, like most growing companies, accumulated suppliers: a marketing platform, an analytics tool, a logistics integration, a couple of agencies, several SaaS products that had each been signed up by a different team for a good reason at the time. Individually, every one made sense. Collectively, no one could say what all those suppliers could reach into the business, what data they held, or which of them still needed the access they had been given months or years earlier.
The worry was reasonable and undramatic. The most likely path to a bad day was not the company’s own systems but a supplier’s, and the company had little visibility into, or control over, what those suppliers could touch. You cannot manage a risk you cannot see, and this one had been growing quietly in the blind spot.
The challenges we had to solve
- There was no single list of suppliers, let alone of what data each one held or what each could access. Several had been onboarded without security ever looking.
- Some integrations had broad access far beyond what their actual function needed, simply because broad was the easy default at setup.
- Vendors that were no longer used still held live connections and credentials, because offboarding had never been anyone’s defined job.
- The process had to be light enough to keep running, since new suppliers get added constantly and a one-time audit would be stale within months.
How we approached it
We built the supplier inventory that should have existed, and for each one asked the questions that matter: what data do they hold, what can they reach, and how critical are they if something goes wrong. That turned a vague unease into a ranked, concrete picture. The suppliers that could touch the most sensitive data, or reach the furthest into the systems, got attention first; the long tail of low-risk tools we noted and moved past, because spending equal effort everywhere is its own kind of waste.
For the connections that mattered, we pulled access back to what each supplier genuinely needed, and we closed out the vendors who no longer needed any access at all, which is the step most often forgotten. Then we gave the company a simple routine for new suppliers, so security is part of onboarding rather than a thing remembered later, and a periodic check light enough to actually happen. The relationships and the accountability stay theirs; our part was making the risk visible and controllable rather than invisible and growing.
Where it stands
The business now knows which suppliers it works with, what each can reach, and which ones matter most if they fail. The over-broad connections have been narrowed, the disused vendors are disconnected, and a new supplier no longer slips in without anyone considering what it can touch. Third-party risk moved from an unseen liability to something they manage on purpose.