Supply Chain Attacks: Defending Your Business Against Third-Party Risk
Your security is only as strong as your weakest vendor. Here's how attackers exploit trusted relationships—and how to protect yourself.
Your security is tight. You've got firewalls, endpoint protection, employee training, and regular updates. Then one day, your trusted accounting software pushes an update that installs ransomware on every computer in your company.
You didn't get hacked. Your software vendor did. Welcome to the world of supply chain attacks.
What Are Supply Chain Attacks?
A supply chain attack targets your vendors, service providers, or software suppliers to gain access to your systems. Instead of breaking through your front door, attackers compromise someone you trust and walk right in.
Why Attackers Love Supply Chain Attacks
Recent High-Profile Examples
- SolarWinds (2020): Malicious update affected 18,000 organizations including U.S. government agencies
- Kaseya (2021): Single attack affected over 1,500 businesses worldwide
- MOVEit (2023): File transfer software vulnerability exposed data from hundreds of organizations
The Pattern
Building Supply Chain Defenses
Before onboarding new vendors, ask tough questions:
Security practices:
- Do you have SOC 2 or ISO 27001 certification?
- How often do you conduct security audits?
- What incident response procedures do you have?
- How do you secure customer data?
Get Written Answers
Apply the principle of least privilege to vendor access:
- Minimize scope: Grant access only to systems and data absolutely necessary
- Use separate accounts: Don't let vendors share credentials
- Time-limited access: Disable access when not actively needed
- Network segmentation: Keep vendor access isolated from critical systems
Just-in-Time Access
Every vendor account accessing your systems must use MFA. No exceptions.
Why It Matters
Trust, but verify. Even trusted vendors should be monitored:
- Log all vendor access and activities
- Alert on unusual behavior
- Review vendor activity logs regularly
- Investigate anomalies promptly
Red flags to watch for:
- Access from unexpected locations
- Accessing systems outside their scope
- Downloading large amounts of data
- Activity during off-hours without explanation
Your vendor agreements should include security requirements:
- Security standards: Specific controls they must implement
- Incident notification: Timeline for reporting security incidents
- Audit rights: Your ability to assess their security
- Data handling: How they store, process, and delete your data
- Liability: Who's responsible when things go wrong
Make It Meaningful
For businesses with many vendors, formalize the process:
- Initial assessment: Security review before onboarding
- Ongoing monitoring: Annual re-assessments for critical vendors
- Incident response: Plans for vendor-related security events
- Vendor lifecycle: Security checks during changes and offboarding
Identifying Your Supply Chain Risks
Map Your Third-Party Ecosystem
You can't manage risk you don't know about. Start with a comprehensive inventory:
- What software do you use?
- Who has administrative access?
- What data does it access?
- How critical is it to your operations?
Assess Vendor Security Posture
Not all vendors present equal risk. Prioritize assessment efforts based on:
- Data access: Do they handle sensitive customer or business data?
- System access: Can they access your network or critical systems?
- Business criticality: Would their failure disrupt your operations?
Risk Rating Framework
High-risk vendors: Software with network access
Medium-risk vendors: Business applications with limited data access
Low-risk vendors: Tools with no access to sensitive systems
Software Supply Chain Security
Software Bill of Materials (SBOM)
What is an SBOM? A complete list of all software components and dependencies. Think "ingredients list" for software.
Why It Matters
Software Update Policies
Updates are necessary for security, but can also introduce risk:
- Test before deployment: Don't auto-install updates to production immediately
- Stagger rollouts: Deploy to small groups first
- Have rollback plans: Be ready to revert if an update causes problems
- Monitor vendor security: Watch for news of vendor security incidents
Responding to Supply Chain Incidents
When a vendor is compromised, act quickly:
- Assess impact: What systems or data were potentially affected?
- Isolate exposure: Disable vendor access immediately
- Reset credentials: Change passwords for any accounts the vendor could access
- Review logs: Check for suspicious activity
- Notify stakeholders: Inform affected parties as required
- Document everything: For regulatory, legal, and insurance purposes
Communication Is Critical
Building Resilience
Perfect prevention is impossible. Build resilience instead:
- Backup vendor options: Don't be completely dependent on a single vendor
- Offline backups: Keep backups that vendors can't access or modify
- Incident response plans: Include vendor compromise scenarios
- Cyber insurance: Coverage for third-party security incidents
The Bottom Line
You might have world-class security, but if your vendors don't, you're still vulnerable. Supply chain attacks are sophisticated, but defense comes down to basic principles: know who has access, limit that access, monitor what they do, and have a plan for when things go wrong.
Your Security Perimeter
Need help assessing third-party risk?
OSA provides vendor security assessments and supply chain risk management to help you identify and mitigate third-party threats.
Get a supply chain security assessment