Supply Chain Cyberattacks: Hackers Use Vendors as Entry

Supply chain cyberattacks are when attackers compromise your business through one of your vendors, suppliers, or service providers rather than attacking your business directly. The technique has become a dominant attack pattern because it's efficient — compromising one widely-used vendor produces access to hundreds or thousands of customers simultaneously. SolarWinds was the headline example; smaller versions of the same pattern now happen routinely. Here's what supply chain attacks look like and how to defend against them.

The Common Patterns

Supply chain attacks generally follow a few patterns:

• Software supply chain compromise — attacker compromises a widely-used software product (SolarWinds, Kaseya), with malicious updates distributed to customers through the legitimate update mechanism
• MSP or IT vendor compromise — attacker breaches an MSP, then leverages the MSP's privileged access to its customer base
• SaaS account compromise — attacker compromises a SaaS administrator account and accesses customer data through the platform
• Cloud platform misconfiguration — attacker exploits shared platform vulnerabilities affecting multiple tenants
• Hardware supply chain — rare but real, where compromised hardware components reach customers through the manufacturing chain
• Open source dependency compromise — attacker compromises a widely-used open source library, with malicious code reaching applications that include it

Why SMBs Are Vulnerable

Supply chain attacks are particularly consequential for SMBs because they often lack the visibility to detect compromise that came through a vendor. The malicious activity looks legitimate — it's the vendor's tools doing things the vendor's tools normally do, just maliciously. Smaller businesses also have less leverage to demand strong security practices from their vendors and less ability to verify vendor claims about their own security posture.

The result: SMBs often discover vendor-related compromise weeks or months after it started, when the consequences (data theft, fraud, ransomware) finally surface.

The Vendor Risk Management Practice

Defense against supply chain attacks starts with vendor risk management. The practice includes:

• Inventory of every vendor with access — what each one can access, what data they handle, what permissions they have
• Risk classification by vendor — critical vendors with broad access vs. lower-impact vendors with limited access
• Security due diligence — SOC 2 reports, security questionnaires, attestation of specific controls before engaging vendors
• Ongoing monitoring — periodic reassessment of vendor security posture, not just initial onboarding
• Access scoping — vendors get the access they need, not blanket permissions
• Network segmentation — limiting what vendors can reach even with their authorized access
• Logging and monitoring of vendor activity — visibility into what vendors are actually doing in your environment

The Specific Controls That Help

Technical controls that mitigate supply chain attack impact:

• Privileged access management — vendor access goes through PAM systems with session recording and just-in-time approval
• Conditional access — vendor sign-ins evaluated for risk signals (impossible travel, unusual times, new devices)
• Network segmentation — vendors limited to specific network zones, not broad LAN access
• EDR/MDR on systems vendors access — behavioral monitoring catches anomalous activity even when the credentials are legitimate
• SaaS activity monitoring — visibility into administrative actions in connected SaaS platforms
• Application allow-listing — limits what code can run, reducing the impact of malicious software updates
• MFA enforcement on vendor accounts — applied to vendor identities the same way as internal accounts

The Insurance Reality

Cyber insurance carriers have noticed the supply chain risk pattern and are increasingly requiring evidence of vendor risk management practices during underwriting. Businesses that can demonstrate documented vendor risk management get better coverage and pricing; businesses that can't may find coverage limited or excluded for vendor-related incidents.

The insurance pressure adds urgency to the vendor risk management work that should be happening anyway. For most SMBs, formalizing vendor risk management is both a security improvement and an insurance optimization. A free assessment can scope what vendor risk management looks like for your business.