Summary

• The average small business is connected to 10 or more third-party tools, each holding data or accessing systems outside Microsoft’s protection
• Each connected tool is a potential entry point, and most businesses have never reviewed what access those tools actually have
• Attackers use connected tools and supply chain relationships as a pathway into businesses that would otherwise be difficult to compromise directly
• The same verification principles that apply to staff access apply to every tool connected to your environment

Most small businesses spend their cyber security attention on the obvious targets: email, devices, staff logins. The tools sitting around the edges of the business – the accounting platform, the payroll system, the HR software, the practice management tool – rarely get the same scrutiny.

The IT Agency’s Managing Director Ron Rosenbaum joined a cyber security panel at Fin365 Symphony 2026 alongside Jay Staal and Dan Goffredo. One theme that came up directly was the risk that lives not inside the Microsoft environment, but in everything connected to it. Ron spoke from direct experience: “An attacker could be in your system and using it to attack your supply chain – I’ve seen that happen.”

It is a pattern that is becoming more common, and most small businesses have never considered it.

Are the tools connected to your business actually secure?

The average small business today is running a collection of connected tools that has grown organically over time. A new payroll platform here. A client portal there. An integration that someone set up two years ago and nobody remembers the details of. Each tool that connects to your Microsoft environment – your email, your data, your calendar – was granted a level of access when it was set up. Most businesses have never gone back to review what that access is, whether it is still needed, or whether the tool itself is meeting a reasonable security standard.

The moderator at the Fin365 panel asked Ron and Jay directly about this: “What additional risks do you guys have to deal with because practices are using so many different platforms?”

The answer is that every platform is its own risk. A tool that has read access to your email to send notifications also has read access to everything else in that inbox. A payroll integration that connects to your financial data holds some of the most sensitive records in the business. A client management platform that was set up by a staff member who has since left may still be connected with credentials nobody is actively monitoring.

None of these tools are inherently unsafe. The risk comes from connecting them without a clear understanding of what they can access, and leaving them connected without review.

How do attackers get in through connected tools?

The supply chain risk is distinct from threats that come through staff or internal access. This is about attackers using your connected tools as a pathway – either into your business, or through your business to reach someone else.

Supply chain attacks work by targeting a weaker link in a connected ecosystem rather than attacking the primary target directly. A small professional services firm connected to a larger client’s systems is a more accessible entry point than the larger client itself. An accounting platform shared across multiple businesses becomes a single point of compromise for all of them. A vendor with access to your systems who has their own security gaps becomes your security gap too.

For businesses in financial services, legal, or professional services, this is particularly relevant. These businesses sit inside larger ecosystems of clients, platforms, and partners, each of which represents a connection that an attacker can try to move through.

How do you apply the same standard to tools as to people?

The same principle that applies to staff access applies to every tool connected to your environment. Verify everything. Review access regularly. Remove what is no longer needed.

Jay Staal put the practical direction clearly at the panel: “Consolidating as many tools as possible to Microsoft just makes everything run native to the identity experience. The identity is paramount.”

The more tools you can bring under a single identity framework, the more visibility and control you have over what they can access and what they are doing. Tools that connect via single sign-on through Microsoft Entra can be monitored and managed centrally. When something changes such as a staff member leaves, a subscription lapses, a tool is compromised, the response is faster and more contained because everything is visible from one place.

Tools that connect outside that framework need to be reviewed deliberately rather than left to accumulate.

How should I start reviewing third party tools and platform?

Reviewing your connected tools is a business exercise as much as a technical one. These are the questions worth working through with your IT team or managed service provider.

1. List every tool connected to your business environment. Include anything that has access to your email, your data, your Microsoft tenant, or your client records. If you are not sure what is connected, your IT partner can run a report.
2. For each tool, ask what it can access. What data does it hold? What permissions was it granted when it was set up? Is that still appropriate for what the tool is actually used for today?
3. Check how each tool logs in. Does it connect through Microsoft single sign-on, or does it use its own separate login? Tools using separate credentials are harder to monitor and harder to deactivate quickly if something goes wrong.
4. Check whether each tool has MFA enabled. A standalone login without a second verification step is an exposed credential. Most platforms support MFA. Many businesses have never turned it on.
5. Remove or restrict tools that are no longer actively used. Dormant connections with live access are unnecessary risk. Deactivate them.

Support to manage third party and supply chain risk

The IT Agency works with Australian businesses to map their full cyber security exposure, including core systems, connected tools, third-party access, and supply chain relationships, and build a practical path to address the gaps. If you have not looked closely at what is connected to your business environment, we can help you find out – reach out to the team today.

Frequently asked questions

Why are the tools connected to my business a cyber security risk?

Every third-party tool or platform connected to your business holds data or has been granted access to your systems. Most businesses set these connections up and never review them again. Over time, tools accumulate access they no longer need, credentials go unmonitored, and connections from former staff or completed projects stay open. Each one is a potential entry point that sits outside your core Microsoft environment.

What is a supply chain cyber attack?

A supply chain cyber attack targets a connected tool, vendor, or service provider to reach a more valuable target. Rather than attacking a business directly, an attacker compromises something that already has access to it. For small professional services firms connected to larger clients or shared platforms, this is an increasingly relevant risk.

How do I know what tools are connected to my Microsoft environment?

Your IT partner can run a report from the Microsoft admin centre showing every application that has been granted access to your Microsoft tenant. This is often the first step in reviewing your connected tools and frequently surfaces connections that business owners were not aware of.

What is the safest way to connect third-party tools to my business environment?

Tools that connect via single sign-on through Microsoft Entra sit within a managed identity framework that gives your IT partner visibility and control over what they can access. This makes it easier to monitor activity, enforce access standards, and deactivate connections quickly if needed.