Supply Chain Cyber Attacks: Why Small Suppliers Are the Real Target

In 2023, a ransomware attack on a small managed IT provider in the United States cascaded through to over a thousand of its downstream clients within hours. The IT provider was not itself a particularly valuable target. Its clients — which included healthcare networks, financial services firms, and public sector bodies — were. The small supplier was the door.

Supply chain attacks are now one of the most significant and fastest-growing categories of cyberthreat. And they disproportionately target small businesses — not because small businesses hold the most valuable data, but because they hold the access.

What a Supply Chain Attack Is

A supply chain attack occurs when an attacker compromises a target organisation by first compromising a supplier, partner, or third party that has access to the target's systems, data, or staff. The initial compromise — the entry into the supply chain — is typically at a smaller, less well-defended organisation. The ultimate objective — the data theft, the ransomware deployment, the espionage — is at the larger, more defended organisation at the end of the chain.

The logic is straightforward: a FTSE 100 company, a government department, or a major hospital trust invests heavily in perimeter security. Their attack surface is monitored, their staff are trained, their vulnerabilities are managed. The security investment scales with the perceived risk. Their subcontractors, suppliers, and professional advisers typically do not make the same investment — they're smaller, they have less budget, and they've been told they're too small to be targets. The attacker exploits this asymmetry.

The Types of Supply Chain Attack Targeting Small Businesses

IT Managed Service Providers (MSPs)

An IT provider that manages systems for multiple clients has privileged access to all of them. Compromising the MSP gives the attacker access to every client network simultaneously. Criminal groups specifically target MSPs because of the multiplier effect: one breach, many victims. If you use an external IT provider, their security is your security risk.

Professional Services Suppliers

Law firms, accountancy practices, and HR consultancies hold some of the most sensitive data in any supply chain: M&A plans, financial records, employment data, legal strategy. Nation-state actors and organised criminal groups actively target professional services firms for the access they provide to their clients' confidential information. A boutique solicitors firm advising on a defence acquisition holds intelligence that adversaries will pay significant sums to obtain.

Software and Technology Suppliers

The SolarWinds and Kaseya attacks demonstrated that software used by thousands of organisations can be compromised at source, distributing malware via trusted update channels. The principle applies at smaller scale: a bespoke application developed by a small software house and used by a major client is an attack vector if the software house's development environment is compromised.

Physical and Facilities Suppliers

The Target breach in the United States — still one of the largest retail data breaches — originated through credentials stolen from an HVAC contractor. Physical access suppliers, cleaning companies, and facilities management firms that have network access or physical access to server rooms are supply chain risks that are frequently overlooked.

What Tier-1 Contractors and Clients Are Now Requiring

The response from large organisations and government has been to push security requirements down the supply chain. Central government contracts above certain values require Cyber Essentials. Defence primes increasingly require it of all subcontractors handling classified or sensitive unclassified information. Major legal and financial services firms are including security questionnaires and minimum control requirements in their supplier onboarding processes.

73% of our SOC in a Box clients in the engineering and consulting sector cite winning a specific contract — one where the client asked for evidence of security monitoring — as the trigger for their purchase. For these organisations, a monthly Confidence Score report and a Cyber Essentials certificate are not just security measures. They're commercial qualifications.

The Practical Risk Assessment for Small Suppliers

Ask yourself three questions. First: do any of your clients or partners have privileged or sensitive access to your systems? If a client provides you with credentials to their systems, or if a partner has VPN access to your network, you are a potential entry point for an attack on them.

Second: do you hold data on behalf of clients that they would consider sensitive? Contract details, financial information, HR data, legal advice — any of these could motivate an attacker to compromise you to access the information rather than attempting to access the client directly.

Third: are you subject to supply chain security requirements from any of your clients or partners? If so, the question is not whether to implement controls, but how to do it most efficiently.

For most small professional services businesses, the answer to at least one of these questions is yes. The appropriate response is not a set of individual tools — it's continuous monitoring that would detect an attacker who has gained access and is traversing the network towards their ultimate objective.