Supply Chain Cyber Risk: How Your Vendors Could Expose Your Business

When we talk about cyber security for small businesses, we tend to focus on the obvious threats: phishing emails, weak passwords, malware. But there is a category of risk that gets far less attention and is becoming increasingly dangerous — supply chain attacks, where criminals compromise your business not by attacking you directly, but by attacking someone you trust.

What Is a Supply Chain Cyber Attack?

A supply chain attack happens when an attacker compromises a vendor, software provider, or IT supplier in order to reach their real targets — the customers and clients who use that vendor's products or services.

Two high-profile examples illustrate the scale of the problem. The SolarWinds attack in 2020 saw hackers insert malicious code into a routine software update, which was then distributed to thousands of organisations worldwide — including government agencies. The MOVEit breach in 2023 exploited a vulnerability in widely-used file transfer software, exposing data from hundreds of organisations who had done nothing wrong themselves. They were simply using compromised software.

These are large-scale examples, but the same principle applies to small businesses every day.

How This Affects Small Businesses

You may not be using enterprise-grade infrastructure, but you almost certainly rely on third-party technology and services. Consider:

• Cloud accounting software like Xero or MYOB — if compromised, attackers could access your financial data or redirect payments.
• Cloud payroll platforms — these hold sensitive employee data including bank account details and tax file numbers.
• IT managed service providers (MSPs) — your IT provider likely has elevated access to your systems. If they are breached, so are you.
• Payment gateways and e-commerce plugins — a compromised plugin on your website could silently harvest customer card details.
• Contractors with system access — a freelance developer or bookkeeper with login credentials is an extension of your attack surface.

Small businesses are attractive targets for this kind of attack precisely because they tend to have less sophisticated security. Attackers compromise a small supplier to gain a foothold, then use that access to reach larger clients or harvest data across dozens of businesses at once.

How Attackers Exploit Third Parties

The typical playbook looks like this: the attacker identifies a vendor with broad access to multiple client environments — an IT MSP, for example. They compromise the vendor through a phishing attack or by exploiting an unpatched vulnerability. Once inside the vendor's systems, they use legitimate tools and credentials to move into client environments, often without triggering any alerts because they appear to be the trusted vendor going about their normal work.

By the time the breach is discovered, the attacker may have had weeks or months of access.

Practical Steps to Reduce Your Supply Chain Risk

Apply the Principle of Least Privilege

Only give vendors and contractors the minimum access they need to do their job. If your bookkeeper needs to view invoices, they do not need admin access to your entire cloud environment. Review permissions regularly and remove access immediately when an engagement ends — do not rely on the vendor to do this for you.

Ask the Right Questions Before Onboarding a Vendor

Before giving any third party access to your systems or data, ask:

• Do you have a written cyber security policy?
• Do your staff use multi-factor authentication?
• How do you handle security updates and patching?
• What is your process if you experience a breach that affects our data?
• Are you accredited under any security framework (e.g. ISO 27001, IRAP, Essential Eight)?

You do not need to conduct a formal audit of every supplier. But asking these questions at the start of a relationship signals that you take security seriously and helps you identify vendors who do not.

Monitor for Unusual Activity

If you receive a notification that a vendor you use has been breached, act immediately. Change any shared credentials, review recent activity in your accounts, and check for any unexpected changes to settings — particularly email forwarding rules, payment details, or user accounts.

Review Permissions After Offboarding

When a contractor finishes their engagement or you switch software providers, do a thorough access review. Revoke credentials, remove connected applications, and change any passwords that were shared. This is one of the most commonly skipped steps and one of the easiest for attackers to exploit.

Maintain Independent Backups

If a vendor's platform is compromised or goes offline, you want to know that your data is safe independently of them. Keep backups of critical data that you control, stored separately from your main systems and any vendor environment.

Supply chain risk is not something you can eliminate entirely — it is an inherent feature of operating in a connected business environment. But by being deliberate about who you give access to, asking the right questions, and having a plan for when things go wrong, you can significantly limit your exposure.