Almost every time that I attend an event, I'll end up meeting someone that has had security issues at their company. I'm always surprised how many people have had ransomware or other security problem that didn't get well publicized. It's not like everyone has had one, but out of 100 people, it seems there is at least one issue.
Many of us work with third-party companies for either products or services. It's become standard to use other firms for specific things your organization needs. However, since that's the practice, many of those firms you partner with have their own partners. After all, they're using other companies for specialized work just like you are.
These third- and fourth-party relationships have changed our security and risk profiles for the worse. As the numbers of data breaches and security issues grow, it's likely that someone in your partner network has had an issue, which might mean that you have an issue. This depends on what you have contracted with partners for, but it seems more and more often this is some sort of service provided, often with your data being shared with the partner. Which could mean your data is shared with their partners.
An article recently noted that the number of partners are going up and many organizations are not aware of the risk this creates for them and their customers. There are more and more third- and fourth-party partners who have suffered data breaches, and if they have shared our data, we may have liability. The weakest link in a supply chain is the problem, and many of us have lengthened our supply chains quite a bit without paying attention.
I don't know that there are good solutions here, but I am seeing more and more companies demanding that suppliers of services prove they have strong security practices and protocols in place. It's not perfect, but it does help us remember that security is everyone's business, or at least everyone with whom we share our data.