Your security is only as strong as your weakest supplier.
This is the reality most businesses are now operating in. You can invest heavily in your own systems, processes and controls, but the moment you connect to a third party, you inherit their risk too.
The attackers have figured this out and instead of going head-on at well-defended and cyber resilient organisations, they are looking for softer entry points further down the chain and into different companies entirely than those who they plan to target. Entry points that they can exploit and cause mayhem throughout a third party supply chain network.
According to ENISA’s Threat Landscape report, attacks on the supply chain are increasing because it is often far easier to compromise a smaller supplier than the primary target.
What is a supply chain attack? Behold the Trojan Horse
So, what is a supply chain attack?
At its simplest, it’s when an attacker gains access to your systems through a trusted third party. Instead of breaking through your front door, they walk in wearing a trusted uniform or have what appears to be an authentic ID badge.
It’s like the modern day equivalent of a Trojan Horse with the malicious element hidden inside something legitimate. This could be anything from software, a service provider, or even a hardware component.
The most widely known example of a third party supply chain breach is the SolarWinds attack in 2020. Attackers inserted malicious code into a routine software update by the company, meaning that around 18,000 organisations installed it, effectively letting the attackers straight into their environments. Nothing suspicious at all, just a trusted update doing what it was supposed to do on the surface.
The two main types of supply chain attack: Software and service providers
When we talk about supply chain attacks, there are two main ways that the bad actors tend to gain access.
The first is through the software itself and includes compromised updates, malicious code injected into libraries, or vulnerabilities in widely used components. Supply chain security is about understanding not just the application you use, but everything that sits behind it.
Secondly they gain access through service providers, such as your outsourced IT provider, managed service provider, or consultancy. If these companies are compromised, attackers can gain access to multiple clients in one move. It’s the closest thing to getting a hotel master key. One breach equals many entry points along the supply chain.
The ripple effect: One breach, multiple victims
The fact that the attacks don’t stop at just the one organisation is what makes supply chain attacks so damaging.
The Kaseya ransomware attack in 2021 is a good example of this. By compromising a single software provider, attackers were able to impact up to 1,500 businesses. Many of those organisations had no direct relationship with the attacker and no obvious vulnerability in their own systems.
They were just caught in the attack by being linked by a third party supplier.
This is why examples of supply chain attacks keep making headlines as the attacks are just so easy to scale. Once a trusted supplier is breached, the damage multiplies quickly.
You can’t outsource the risk: The importance of due diligence
One of the biggest misconceptions in cyber security is that by outsourcing a service you’re also outsourcing the risk. It doesn’t work like that.
From a regulatory perspective, the responsibility still sits with you. Under GDPR, the data controller remains accountable even if a breach happens via a data processor. Basically, even if your supplier gets it wrong, you are still liable.
That’s why managing third-party cyber risk has to be taken seriously – vendor security is not a one-time checklist during procurement – it’s an ongoing process.
Due diligence needs to go beyond surface-level assurances which means that you need to understand how your suppliers operate, how they secure data, and how they respond to incidents.
Practical steps to secure your supply chain
This doesn’t need to be overly complicated, but it does need to be deliberate.
- Start with visibility and by knowing who your suppliers are, what access they have, and what data they handle. You can’t manage what you can’t see.
- Apply the principle of least privilege as suppliers should only have access to the systems and data they absolutely need to do their job.
- Start building security requirements into contracts including expectations around data handling, breach notification, and minimum security standards.
- Review your suppliers regularly. This is because risk changes over time, especially as businesses grow, merge, or adopt new technologies.
- And, finally, have a plan. If a supplier is compromised, you need to know how you will respond and in what timeframe.
In summary, trust but verify your partners and suppliers
Supply chain attacks are not going away, in fact they are becoming the preferred route for attackers. The reality is that your own security is no longer defined by your systems. It extends to every supplier you work with.
Trust is important in business, but blind trust is risky, so verification is what turns that trust into something reliable.
Unsure about the security of your suppliers? Let us help you build a robust third-party risk management programme.