In December 2020, a software update pushed to thousands of companies by a reputable IT management provider called SolarWinds contained malicious code planted by attackers. The update was signed, verified, and delivered through normal channels. Businesses that installed it — believing they were keeping their systems secure — were compromised.
The SolarWinds attack is the most famous example of a supply chain attack. But it is far from the last, and the targets are no longer exclusively large enterprises. Small businesses are now routinely affected — either directly, or as the supply chain entry point for a larger organisation they serve.
What Is a Supply Chain Attack?
A supply chain attack occurs when an attacker compromises a business not through a direct breach, but through a trusted third party — a software provider, a managed service provider, a supplier, a contractor — who has legitimate access to the target’s systems.
The logic is straightforward from an attacker’s perspective: if the target is well-defended, attack someone they trust instead.
For small businesses, this cuts two ways:
You can be the victim. A software tool you use, a payroll provider, a cloud service — any of these could be compromised, and that compromise could extend to your business.
You can be the vector. If you have network access, system credentials, or data belonging to a larger client, attackers may target you specifically because of that relationship. Your security posture becomes a risk for your customers.
The Scale of the Problem
Research from 2024 and 2025 consistently identifies supply chain attacks as among the most financially damaging cyber incidents. According to insurance claim data analysed across SMBs, supply chain compromises generate the highest average claim values — around $265,000 per incident — despite being less frequent than phishing or ransomware.
The reason claims are high is that supply chain attacks tend to be discovered late and affect multiple systems simultaneously. By the time the breach is identified, attackers have often had extended access.
Common Supply Chain Attack Vectors for SMBs
Managed service providers (MSPs). Businesses that outsource IT management to an MSP give that provider significant access to their systems. If the MSP is compromised, every client they manage is potentially compromised. This has happened repeatedly — attackers specifically target MSPs because a single breach provides access to dozens or hundreds of businesses.
Software providers. Malicious code injected into a software update, a compromised development pipeline, or a tampered installer can reach every customer of a given application. Keeping software updated is important — but updates themselves can occasionally be the vector.
Accounting and payroll services. These providers hold highly sensitive financial and personal data. A breach of a shared accounting platform can expose years of business and employee records.
Cloud service integrations. Many businesses connect multiple cloud tools via APIs and integrations. A breach of one service can cascade through connected systems.
What You Can Do
Audit your third-party access. Which suppliers, contractors, and service providers have access to your systems? Do they have more access than they need? Access that was granted for a project and never revoked is a common gap.
Ask your suppliers about their security. Not in an accusatory way — but understanding what controls a supplier has in place is reasonable due diligence, particularly for providers with significant access to your data or systems.
Limit access scope. Apply the principle of least privilege: give third parties the minimum access they need to do their job. Segment your network so that a compromised integration cannot reach your entire environment.
Monitor for unusual activity. A supplier’s compromised credentials accessing your systems will often show unusual patterns — different times, different locations, unexpected data access. Monitoring detects these anomalies.
Have a supplier incident procedure. If a supplier contacts you to notify you of a breach, what do you do? Having a plan means you can act quickly to revoke access, audit affected data, and assess your exposure.
W3IT’s security reviews include an assessment of third-party access points — who has access to your systems, what they can reach, and whether that access is appropriately managed. It’s an area that surprises many business owners.