In our experience of auditing after breaches have happened, about half were caused by a service provider working for the company that gets breached.
Almost always, the vendor or contractor had no malicious intent. Their organization’s own IT systems were not secure, and/or their team members performed actions in a non-secure way.
Be sure the service providers you use are working every day to be more secure too. Ask them about their security awareness training program. Ask them how often they are audited by independent third party firms that are interested in helping them increase their own security. If you want to, encourage them to sign up for our newsletter.
Remember, your IT security relies on their IT security too.