Your Vendors Are a Target — and So Are You

You think your systems are well protected. Firewall in place, antivirus up to date, password policies respected. And yet, an attacker gets into your network… through your accounting software vendor.

That’s exactly what a supply chain attack is.

ISO 27001 addresses this risk directly in controls 5.19 to 5.22. Most organizations don’t apply them properly.

What Is a Supply Chain Attack?

A supply chain attack occurs when an attacker compromises an organization not directly, but by targeting a trusted third party with access: a software vendor, an IT subcontractor, a partner connected to your systems, or even an open-source component integrated into your tools.

The idea is to attack the weakest point. By targeting a vendor, an attacker can hit all their clients at once.

This type of attack is formidable because the compromised source is trusted by your systems, the attack can hit thousands of organizations simultaneously, and detection often takes months.

Attacks Reported in the Media

SolarWinds (2020)

Attackers affiliated with Russian intelligence services compromised the SolarWinds Orion software update process. A legitimate, digitally signed update contained a backdoor. More than 18,000 organizations installed it, including U.S. government departments and Fortune 500 companies.

Kaseya VSA (2021)

Attackers exploited a vulnerability in Kaseya VSA, a remote management tool used by MSP vendors. Hundreds of SMB clients had their data encrypted by ransomware without their own systems being directly targeted.

3CX (2023)

The 3CX telephony software, widely used by SMBs, was compromised via a third-party dependency. The official installer contained malicious code. Organizations that simply updated their phone software found themselves infected.

XZ Utils (2024)

A malicious contributor spent two years gaining the trust of the community around a widely used Linux tool before inserting a backdoor. If it hadn’t been discovered by chance, millions of Linux servers would have been exposed.

Polyfill.io (2024)

A Chinese company bought the polyfill.io domain, a JavaScript library used by hundreds of thousands of websites. It modified the script to inject malicious code redirecting mobile visitors to fraudulent sites. More than 380,000 sites were affected, including platforms like Hulu, Mercedes-Benz, and the World Economic Forum. SMBs using this library unknowingly were exposed.

DragonForce via SimpleHelp (2025)

The DragonForce group exploited vulnerabilities in SimpleHelp, a remote management tool used by MSP vendors. Once inside the MSP, attackers deployed ransomware simultaneously across all downstream clients. Same pattern as Kaseya, four years later.

npm @redhat-cloud-services (June 2026)

On June 1, 2026, 32 packages published under an official Red Hat namespace were compromised on npm, with about 80,000 weekly downloads. Developers used these packages daily without suspecting anything.

Breaking the “Too Small to Be Targeted” Myth

SMBs still believe they’re too small to be in the crosshairs. That’s a myth, and it has concrete consequences.

In a supply chain attack, the SMB is not necessarily the final target. It’s the vector. If it has access to a larger client’s systems, it becomes an interesting entry point. And since SMBs use the same software as large enterprises, when a common tool is compromised, everyone is affected regardless of size.

How to Prepare: Concrete First Steps

Step 1: Inventory Your IT Vendors

List all third parties with access to your systems or data: SaaS software vendors, IT support firms, accountants with access to your files, partners connected to your network.

For each vendor, ask three questions: what level of access do they have to your systems or data, what happens if they’re compromised, and do you have a written agreement defining their security obligations?

Step 2: Apply Least Privilege

A vendor should never have more access than they need. Review granted access, revoke what’s unnecessary, and enable multi-factor authentication for all external access.

Step 3: Monitor Your Updates

Software updates are the number one vector for supply chain attacks. That doesn’t mean stop doing them. It means: subscribe to security advisories from your main vendors, wait a few days before applying a major update for critical software, and test critical updates in a separate environment if possible.

Step 4: Write a Security Clause in Vendor Contracts

Your third-party contracts should include minimum security requirements: obligation to report an incident within 72 hours, audit rights, encryption requirements. This isn’t luxury. It’s become a baseline expectation in any serious compliance framework.

Step 5: Have a Minimal Response Plan

If a vendor notifies you of a compromise, do you know what to do? Prepare a short list: who to call, how to isolate the affected vendor’s access, how to communicate with your clients if their data is affected.

Supply chain attacks are growing rapidly. According to Gartner, 45% of major cyberattacks in 2026 will involve the supply chain. The average cost of such a compromise is estimated at US$4.91M, with an average of 267 days to detect and contain.

MSPs as primary targets. Managed service providers (MSPs) that manage IT for dozens or hundreds of SMBs are becoming priority targets. According to a Guardz report covering 350 MSP vendors (2026), 75% were compromised at least once in 2025–2026. Compromising one MSP means compromising all their clients at once.

Regulations are intensifying too. In Europe, the NIS2 directive has been in force since October 2024 and imposes explicit obligations on supply chain security: assess vendor security posture before signing a contract, integrate mandatory security clauses, notify incidents within 24 hours (initial report) and 72 hours (full report), and reserve the right to audit vendors. In Quebec and Canada, regulatory pressure is moving in the same direction. SMB vendors to large enterprises or public institutions will receive more and more security questionnaires and contractual requirements.

Finally, artificial intelligence is accelerating attacks. Attackers now use AI to write more credible malicious contributions, detect vulnerabilities in open-source dependencies, and automate attacks at scale.

ISO 27001:2022 addresses vendor security in Annex A, domain 5, with four controls that are not optional: 5.19 (security in supplier relationships), 5.20 (supplier agreements), 5.21 (ICT supply chain), and 5.22 (monitoring and change management).

Concretely, this means: document your vendor selection and oversight policy, integrate security requirements into all contracts with third parties that have access to your assets, maintain a register of critical vendors, and review granted access annually.

ISO 27001 doesn’t guarantee a supply chain attack will never hit you. But it forces you to actually know who you trust and why.

In Summary

Supply chain attacks hit SMBs, often indirectly, often without warning.

You don’t need a 20-person security department to start. An honest vendor inventory, a review of granted access, and a few contractual clauses are enough to reduce your exposure.

Most ISO 27001 audits I see treat vendor controls as a checkbox. That’s often where the next breach will enter.

You can find more articles on the certi360.com blog. Thanks for your article suggestions — they’re created from your questions and comments.