When Someone Else's Hack Becomes Your Problem
1/15/2026
Matthew Cosgrove, VP and Chief Information Security Officer
Learn
Services tower in a farm field

 

While winter can be a quieter period for some operations, cyber risks don’t take time off — and many now arrive through the trusted partners and services we rely on every day.

$9 million. That’s the estimated loss some US farms have faced when cyber incidents forced them to pause operations. At a recent FBI agriculture security symposium, farmers, processors, and industry partners heard a consistent message: as agriculture becomes more connected and technology-driven, it is also becoming a more attractive target for cybercriminals. The risk is real, and it continues to grow (Protecting Critical Infrastructure, 2024).

Many cyber incidents don’t start with a direct attack on a farm or business. Instead, they begin through trusted third parties — vendors or platforms that already have access to systems and information.

 

Third-Party Risk, Explained in Plain Terms
A third party is any outside company your organization relies on to operate. This can include software providers, online marketplaces, payment processors, logistics platforms, or customer management tools.

Third-party cyber risk means your organization can be affected by a cyber incident at one of those companies — even if your own systems were never directly attacked.

A recent national incident illustrates this clearly. In 2025, a widely used business integration tool that connected customer chat services with customer relationship management systems was compromised.

Attackers gained access through the vendor’s system and were able to extract customer data from hundreds of organizations that used the service (Kost, 2025).

Those organizations were not breached directly. They were impacted because a trusted external service had access to their data. This is a clear example of how third-party risk works in practice.

 

What This Looks Like for Agriculture
Cyber incidents don’t always involve sophisticated hacking or national headlines. In many cases, the damage starts quietly, through everyday digital tools that are trusted and widely used.

Agricultural businesses have reported real financial losses tied to online ordering and payment scams. In these situations, criminals placed legitimate-looking orders using fraudulent or manipulated payment information. The products were delivered, the payment initially appeared valid, and then the transaction was later reversed — leaving the business without both the product and the funds (Galloway, 2025).

There was no breach of the business’s internal computer systems. Instead, the loss stemmed from reliance on third-party online ordering and payment platforms, showing how cyber risk can surface through trusted external services rather than direct attacks.

In addition, Michigan State University has surveyed agricultural operators across the state and found that unauthorized access attempts, computer intrusions, and digital disruptions are already occurring. Many of these incidents go unreported, either because operations recover quickly or because it is unclear who to notify (Galloway, 2025).

The takeaway is straightforward: cyber risk already exists in the agricultural community, and third-party tools and services are part of that reality.

 

Why This Matters to Businesses and Their Customers
Third-party cyber risk is not just an information technology issue. It is a business risk.

When a vendor or service provider experiences a cyber incident, the impact can ripple outward:

  • Payments may be delayed or reversed
  • Orders or services may be disrupted
  • Sensitive business or customer information may
    be exposed

For organizations that support agriculture, including service providers and technology companies, these disruptions can affect both internal operations and the customers they serve.

Agriculture depends on timing. Even short interruptions tied to third-party issues can result in missed opportunities, financial loss, or strained relationships.

Cyber Threats Aren’t Just Accidents
Federal law enforcement has been clear that cyber threats to food and agriculture aren’t random — some are intentional. At a national agriculture security event, an FBI Special Agent warned that foreign actors, most notably the People’s Republic of China, are actively seeking ways to disrupt the United States’ agriculture industry. These are not hypothetical concerns; they are part of a broader threat landscape that includes attempts to undermine supply chains, steal valuable data, or degrade operations (Protecting Critical Infrastructure, 2024).

In that same briefing, the FBI urged agricultural operators, just like any other business, to adopt good cyber hygiene as part of their regular routine. That term simply refers to basic practices that make systems and data harder for attackers to exploit. Examples include:

  • Using multi-factor authentication — adding a second step (like a code sent to your phone) when signing in so that stolen passwords aren’t enough to gain access (Federal Bureau of Investigation).
  • Backing up critical data regularly — and storing those backups separately so you can recover quickly if files are lost or held hostage (Federal Bureau of Investigation).

These steps may sound simple, but they dramatically reduce the chances of costly disruptions or data loss — and they’re recommended by both law enforcement and cybersecurity specialists.

 

Reducing Risk from Third-Party Relationships
While no organization can fully control another company’s security practices, there are practical steps that can reduce exposure to third-party risk. Even when cyber risk feels overwhelming, progress often starts with a few manageable actions.

  • Know Who You Rely On
    • Maintain an up-to-date list of vendors and service providers that have access to your systems or handle your data.
  • Limit Access
    • Ensure third parties only have access to the information or systems necessary to perform their role.
  • Ask About Security
    • Before engaging a vendor, ask how they protect data, how often controls are reviewed, and how incidents are communicated.
  • Review Connections Regularly
    • Periodically review vendor access and update credentials, especially following reported security events.
  • Plan for Disruptions
    • Have a clear, practical plan for how your organization would respond if a third-party incident caused delays, outages, or data concerns — even if your own systems were not directly affected.

 

Looking Ahead
Third-party cyber risk is no longer theoretical. It is present today and affects organizations of all sizes — from local agricultural operations to national service providers.

Understanding this risk, managing vendor relationships thoughtfully, and planning for disruptions are essential steps. Not only to protect systems and data, but to support the stability of customers, partners, and industries that rely on secure, dependable services.

As we move into the new year, strengthening how we approach third-party risk is one of the most practical ways we can protect our organizations and the communities we serve.

 

To view the rest of the 2026 winter Partners articles please click here.


Partners Magazine

Get the Latest Partners Articles!

Subscribe via RSS to receive notifications.

Subscribe with RSS
X
 

We use cookies on this site to improve visitor experience. To learn about our use of cookies, visit our Privacy and Security page. By continuing to use this website, you consent to our use of cookies.