The accountant, the lawyer, the IT firm, the cleaner with a key to the office: each is a potential route into the principal's affairs. The vendor's security posture is the principal's exposure. The principal cannot inspect every vendor's defences and cannot, in practice, control them.
The pattern of recent significant compromises shows this clearly. The attacker enters through a service provider whose own systems are less guarded, then uses the trust the provider has earned to reach the target. The compromise is not announced as such; it appears, when it appears, as a problem at the target firm, which only later traces back to the provider.
The defences are not exotic. They are: a clear inventory of which vendors hold what, written standards that vendors must meet to keep the relationship, periodic review of the standards rather than assumption that they persist, and a structural separation between vendor access and the most sensitive of the principal's affairs.
The work is administrative and continuous. It is also the part of the protection of a private estate that is most commonly absent.
More from the desk
The leaked database and what resurfaces years later
Ransomware and the private family office
Why the case for protection grows stronger each year
What the next decade of records will look like
The private school and the family record
The divorce filing and what it exposes