The Cybersecurity Risk Hiding in Plain Sight — Your Own Vendors
Every business owner locks their front door at night. But what about the dozens of digital doors you may have left wide open — not by accident, but by doing normal business? In Episode 84 of UnHacked, hosts Justin Shelley (Phoenix IT Advisors) and Mario Zaki (Mazteck IT) tackle one of the most underestimated threats facing small and mid-sized businesses today: vendor risk and third-party access.
This is Episode 10 of their ongoing cybersecurity fundamentals mini-series, and based on the show's recent surge in downloads and listener engagement, business owners across the country are waking up to just how critical this information really is.
A Nightmare That Actually Happened
The episode opens with a reference to one of the most powerful stories in UnHacked history — Episode 34, featuring a real MSP owner (Robert Choffi) who arrived at work one day to find that not only were all of his own systems encrypted by ransomware, but so were every single one of his clients' systems. A hacker had breached his remote management software — the very tool he used to protect his clients — and used it to push malicious code across his entire customer base.
The recovery took weeks. Possibly months. And it took an army of fellow IT professionals rallying together to help him dig out.
When Justin asked Robert what he would have done differently, his answer was a single word: frameworks.
That word — and that story — are the backbone of this episode.
The Stat That Should Scare You
According to research Justin references in the episode, the average business has 89 vendors with direct access to their network or data. Read that again: 89.
Now ask yourself: How many of your vendors have access to something sensitive in your business — your files, your financials, your customer data, your systems? Do you know the number? Do you even know who they all are?
If your honest answer is "not really," you are not alone. As Justin puts it: "This is one of those things that creeps and sprawls and gets out of control — and it's got to be reined back in."
Why Your IT Company Might Be Your Biggest Risk
Justin and Mario have a candid, refreshingly honest conversation about something most IT providers would never admit publicly: your MSP (Managed Service Provider) may be your single greatest cybersecurity vulnerability. Because your IT company has access to everything — your servers, your Microsoft 365, your computers, your backups — a breach of them is effectively a breach of you.
Mario walks through the questions every business owner should be asking their IT provider:
How are your technicians connecting remotely to my systems?
Where are my passwords and credentials stored?
Is multi-factor authentication (MFA) enforced across your entire team?
Can your staff access my systems from a coffee shop?
These aren't hostile questions. They're responsible ones. And if your IT provider gets defensive when you ask them, that tells you something important.
The TeamViewer Problem (And What It Represents)
One of the most practical and actionable moments in this episode is the discussion around undocumented remote access software. Justin and Mario explain that virtually every time they do a security assessment for a new client, they find remote access software — TeamViewer, LogMeIn, Ninja, and others — installed on machines with no clear record of who put it there, why it's there, or whether it's still being actively used and patched.In some cases, a previous IT vendor installed it and never removed it when they lost the account. In other cases, employees installed it without authorization. In the worst cases, it's simply sitting there — unpatched, unmonitored, and wide open.
Justin's philosophy? If it's not documented, shut it off. If someone complains, now you know who's using it and why — and you can put it back in the right way.
Mario adds a layer of nuance: use AI tools to run your software inventory and ask it to flag anything that's outdated or critically unpatched. In 2026, this process is faster and easier than ever — and there's no excuse not to do it.
The Vendor Vetting Wake-Up Call
Justin shares two contrasting real-world client examples that perfectly illustrate the difference between reactive and proactive vendor management:
Client A had already signed a contract and paid a vendor before asking their IT provider whether the vendor was secure. When Justin started asking the vendor for security documentation, they went silent — escalating up legal chains, running it by executives — and ultimately never provided anything. Justin refused to complete the integration. The client was frustrated. It got tense. But the alternative could have been catastrophic.
Client B came to Justin before signing anything and asked one simple question: "Is this company secure?" That question — the right question, asked at the right time — opened a conversation that led to a smarter, more secure, and less expensive solution built on a platform they could control.
One word. One question. Completely different outcomes.
Your Action Plan: Start With a Piece of Paper
Justin closes the episode with the most practical homework assignment in the series — and it couldn't be simpler:
Sit down and write out every vendor that has access to anything in your business.
That's it. Start there. Use a spreadsheet, a notepad, whatever works. Then add a column for: Do I know what access they have? And another: Have I ever vetted them from a security standpoint?
From there, you can:
Ask your MSP to run a full software inventory across your network
Feed that list into AI to flag remote access tools and outdated software
Walk through your business operations (sales, delivery, billing, HR, finance) and map every software used to every type of data it touches
Start closing the gaps — one vendor, one risk, at a time
And critically: this is not a "set it and forget it" exercise. Mario reminds listeners that vendor access, enterprise app permissions, and software sprawl are ongoing issues that require regular review.
The Bottom Line
Your business has a perimeter — but it's not the one you think. It's not your office walls or your firewall. It's the sum total of every vendor, contractor, subcontractor, and service provider who has a key to any part of your digital world. And right now, most businesses have no idea how many keys are out there, or who's holding them.
This episode gives you the mindset shift, the real-world proof, and the practical first steps to change that — starting today.
🔒 Is Your Business Actually Secure?
The hosts of UnHacked offer free cybersecurity risk assessments to help business owners find out exactly where they're exposed — before a hacker does.
📅 Schedule your free assessment today at phoenixitadvisors.com — mention UnHacked when you reach out.
There's no obligation, no pressure, and no technical expertise required on your end. Just clarity, and a plan.
UnHacked is hosted by Justin Shelley of Phoenix IT Advisors and Mario Zaki of Mazteck IT. New episodes every week at unhackmybusiness.com.
Schedule Your Free Security Assessment - and mention UnHacked.