Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog

Third-Party Risk Management: Fourth Party Data-Sharing Risks

Dvir Sasson
Updated
April 2, 2025
April 3, 2025
4 minutes

You've probably heard terms like "third-party" and "fourth-party" thrown around, especially as it relates to data sharing. But what does it all really mean?

Here's a quick breakdown: A third-party is any external vendor, partner, or provider your organization directly engages with. These are companies you explicitly trust and manage, usually with clear agreements and security checks in place.

But here's where things get tricky. Sometimes, these trusted third-party vendors share your data or services further down the line—with their own subcontractors, partners, or vendors. That's a fourth-party. Sounds complicated? It is.

Think about it: You've spent time and resources vetting your third-party vendors, ensuring they're secure, compliant, and reliable. But what about their vendors? Those companies you probably haven't directly vetted might not follow the same standards, and that introduces potential security risks.

The real issue is visibility—or the lack of it. You trust your third parties, but if they share your data with someone else, how much control or oversight do you have? Usually, not enough.

Here's the kicker: if a fourth-party gets compromised or misuses your data, guess who's on the hook? You are. Regulators (think GDPR or CCPA) won't care if the breach came from your vendor's vendor—they'll hold you responsible anyway.

The Fourth-Party Risk

The SaaS Security Gap is widening due to what we call SaaS Sprawl. And app-to-app connections represent one of the most overlooked security risks in today's dynamic SaaS environment. As Tarek Marji, Senior Staff Security Engineer at SecurityScoreCard noted, "A lot of our recent breaches involved supply chain. It can be a 4th party—not even 3rd party—it starts from there."

A number of things could potentially be at stake:

  • Data breaches: Fourth parties may not have strict security controls, making them easy targets for attackers.
  • Compliance trouble: Regulators hold you responsible for the full chain of custody of your data, from third-party down to fourth-party, and beyond.
  • Reputational damage: A breach or compliance issue at a fourth party can harm your brand just as much as if it happened directly within your own systems.
  • Loss of control: Without visibility into these connections, you can't enforce your security policies across your entire data ecosystem.
  • Increased attack surface: Each additional connection expands the potential entry points for attackers.

Let's imagine a scenario. You vetted Vendor X to securely manage customer data. Vendor X outsources parts of their work to Company Y (the fourth-party). You probably haven't assessed Company Y, right? Now, what if Company Y has weak security controls or is targeted by attackers? Exactly. You're in trouble.

How Reco Detects Fourth-Party Risks

Do you really want to try and map out all of your 3rd party's 4th parties? I don't think so.

Reco steps up the game here. Our Dynamic SaaS Security solution automatically spots if your data or resources are being shared beyond the third-party boundary by identifying anomalies, such as unusual access patterns, suspicious geolocations, or unexpected IP addresses and providing you with actionable insights, ensuring you're aware of and ready to respond swiftly to potential fourth-party risks.

This isn't just theoretical. In one case, Reco discovered an unapproved GenAI tool used by a Slack Admin that gained Admin access to a customer's Salesforce instance—creating a dangerous data exposure risk that would have remained hidden without proper SaaS-to-SaaS visibility.

Workflow outlining data-sharing beyond the third-party boundary triggering a high severity alert in Reco. Detection rules from Reco provide context needed to determine access should be revoked.

Reco's approach to identifying and managing fourth-party risks is comprehensive:

  • App-to-App Discovery: We track all SaaS-to-SaaS connections in your environment, providing visibility into where your data flows.
  • Knowledge Graph: Our proprietary technology maps relationships between apps, users, and data, enabling us to identify potential fourth-party exposure by processing vast amounts of diverse data and turning it into business context at SaaS speed.
  • Contextual Analysis: We provide what we call "eureka-grade context" by examining the business purpose of connections and flagging those that might introduce unnecessary risk.
  • Behavioral Analytics: We leverage advanced analytics to detect suspicious activities by monitoring who accesses your data, including external and guest users, and identifying attempts at unauthorized access.
Because Reco discovers identities using advanced analytics, we can uncover user permissions and exact activities—who is external, who is a guest, and who attempts to access the data.
  • Automated Alerts: Our solution sends instant notifications when potential fourth-party risks are detected, with context-rich intelligence that helps you understand the severity and appropriate response.
Policy example in Reco warning when a 3rd party is sharing with a 4th party in Microsoft SharePoint and the MITRE tactic utilized.
Policy example in Reco stating that a 3rd party must be authorized to share data with a 4th party in Google Drive.

In short—Reco helps you close the visibility gap, so you're never blindsided.

Bottom Line

Fourth-party risks aren't going away anytime soon. With Reco, you're equipped to manage them, protecting your data, compliance, and reputation. Our Dynamic SaaS Security solution moves as fast as your business, ensuring that you maintain visibility and control even as your SaaS ecosystem evolves.

Dvir Sasson

ABOUT THE AUTHOR

Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.

Technical Review by:
Gal Nakash
Technical Review by:
Dvir Sasson

Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.

Table of Contents
Get the Latest SaaS Security Insights
Subscribe to receive updates on the latest cyber security attacks and trends in SaaS Security.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready for SaaS Security
that can keep up?

Request a demo