Insights & Resources

In July 2024, a routine software update from CrowdStrike, one of the world’s largest cybersecurity companies, caused an estimated 8.5 million Windows systems to crash simultaneously. Airlines grounded flights. Hospitals postponed surgeries. Banks could not process transactions. The outage was not caused by a cyber attack. It was caused by a faulty update pushed by a trusted vendor to systems that automatically applied it.

The CrowdStrike incident was not a security breach in the traditional sense, but it demonstrated a truth that many businesses have been slow to accept: your security and operational resilience are only as strong as the weakest link in your supply chain. When you trust a vendor with access to your systems, your data, or your infrastructure, their failures become your failures.

Supply chain attacks, where adversaries compromise a vendor, software provider, or service partner to gain access to their customers, have become one of the fastest-growing categories of cyber threats. And unlike direct attacks that target your perimeter, supply chain attacks come through the front door, delivered by partners you have explicitly trusted.

Why Supply Chain Attacks Are Surging

The economics of supply chain attacks are compelling for adversaries. Instead of attacking one business at a time, an attacker who compromises a widely used software vendor or managed service provider gains access to hundreds or thousands of downstream customers simultaneously.

The SolarWinds attack in 2020 demonstrated this at scale. Attackers inserted malicious code into a routine software update for SolarWinds’ Orion platform, which was used by approximately 18,000 organizations including Fortune 500 companies and U.S. government agencies. Every organization that installed the compromised update unknowingly gave the attackers access to their internal networks.

Since SolarWinds, the pattern has repeated with alarming frequency:

• Kaseya VSA (2021): Attackers exploited vulnerabilities in Kaseya’s remote management software to deploy ransomware to approximately 1,500 businesses through their managed service providers
• MOVEit Transfer (2023): A vulnerability in a widely used file transfer tool was exploited to steal data from hundreds of organizations, including government agencies, universities, and financial institutions
• 3CX (2023): A supply chain attack compromised the 3CX desktop phone application, affecting an estimated 600,000 businesses that used the software
• CrowdStrike (2024): A faulty update to endpoint security software caused global outages affecting millions of systems

These are not obscure tools used by a handful of companies. They are mainstream business software deployed across entire industries. The vendors themselves were not negligent; they were targeted precisely because of how widely their products were trusted and deployed.

How Supply Chain Attacks Work

Supply chain attacks exploit the trust relationships between organizations and their vendors. The specific techniques vary, but the common patterns include:

Compromised Software Updates

The attacker gains access to a vendor’s software development or distribution infrastructure and inserts malicious code into a legitimate software update. When customers install the update through their normal patching process, they unknowingly deploy the attacker’s code onto their own systems.

This is particularly dangerous because the update comes from a trusted source, is signed with the vendor’s legitimate code-signing certificate, and is delivered through the same channel as every other update. Security tools that whitelist vendor software will not flag it.

Compromised Managed Service Providers

Managed service providers (MSPs) have privileged access to their clients’ systems for monitoring, maintenance, and support. An attacker who compromises an MSP’s remote management tools gains the same level of access to every client environment that the MSP manages.

The Kaseya attack demonstrated this vector. By exploiting the MSP’s management platform, attackers deployed ransomware to the MSP’s clients without ever directly attacking those businesses.

Compromised Open-Source Dependencies

Modern software is built on layers of open-source libraries and frameworks. A single application might depend on hundreds of open-source packages, each maintained by different individuals or small teams. Attackers have targeted these dependencies by contributing malicious code to popular packages, compromising maintainer accounts, or creating packages with names similar to popular libraries (typosquatting).

Vendor Credential Compromise

Many vendors have direct access to customer systems through VPN connections, remote desktop access, or API integrations. If an attacker compromises a vendor employee’s credentials, they can use that access to reach the vendor’s customers without triggering the customers’ perimeter defenses.

Assessing Your Third-Party Risk

Most businesses have more vendor relationships than they realize. Beyond the obvious software vendors and service providers, consider:

• Cloud service providers that host your data and applications
• SaaS platforms that process your business information
• Managed service providers with remote access to your systems
• Payment processors that handle financial transactions
• HR and payroll platforms that store employee personal information
• Marketing tools that collect customer data
• Physical security vendors with access to building systems
• Cleaning and maintenance contractors with physical access to your premises

Each of these relationships represents a potential attack vector. The first step in managing supply chain risk is creating a comprehensive inventory of your vendor relationships and categorizing them by the level of access and the sensitivity of the data involved.

Tiering Your Vendors by Risk

Not all vendor relationships carry equal risk. A vendor with remote administrative access to your servers poses a fundamentally different risk than a vendor that supplies office furniture. Categorize your vendors into risk tiers:

Critical (Tier 1): Vendors with direct access to your systems, networks, or sensitive data. This includes MSPs, cloud providers, security tools, and any software that runs with elevated privileges.

Important (Tier 2): Vendors that process or store your business data but do not have direct system access. This includes SaaS platforms, payment processors, and HR systems.

Standard (Tier 3): Vendors with limited or no access to your systems or data. This includes office supply vendors, general contractors, and marketing agencies without system access.

Your security requirements and monitoring intensity should scale with the risk tier.

Building a Vendor Risk Management Program

A vendor risk management program does not need to be complex to be effective. For most small and mid-sized businesses, a practical program includes four components:

1. Security Requirements in Contracts

Every vendor agreement should include baseline security requirements appropriate to the risk tier. For critical vendors, these requirements might include:

• Multi-factor authentication for all access to your systems
• Encryption of data in transit and at rest
• Regular security assessments or SOC 2 compliance
• Incident notification within a defined timeframe (24-72 hours)
• Right to audit or request evidence of security controls
• Data handling and destruction requirements upon contract termination

These requirements should be negotiated before signing, not added as an afterthought. Vendors that resist reasonable security requirements are telling you something about their security maturity.

2. Due Diligence Before Onboarding

Before granting a new vendor access to your systems or data, conduct a security assessment proportional to the risk tier. For critical vendors, this might include:

• Reviewing their SOC 2 report or equivalent security certification
• Asking about their incident response capabilities and history
• Understanding their own supply chain risk management practices
• Evaluating their data handling and privacy practices
• Checking for recent security incidents or breaches

For lower-tier vendors, a security questionnaire and review of their privacy policy may be sufficient.

3. Least-Privilege Access

Grant vendors only the minimum access they need to perform their contracted services. A vendor that needs to manage your email system does not need access to your file server. A vendor that provides network monitoring does not need administrative access to your endpoints.

Review vendor access permissions regularly and revoke access promptly when a contract ends or a vendor’s scope of work changes.

4. Ongoing Monitoring

Vendor risk is not static. A vendor that was secure when you onboarded them may experience a breach, a change in ownership, or a degradation in their security practices over time. Ongoing monitoring includes:

• Annual security reassessments for critical vendors
• Monitoring for news of vendor security incidents
• Reviewing vendor access logs for unusual activity
• Verifying that contractual security requirements are being maintained

Practical Steps You Can Take Today

You do not need a formal vendor risk management program to start reducing your supply chain risk. These immediate steps provide meaningful protection:

1. Inventory your vendors and identify which ones have access to your systems or sensitive data
2. Enable MFA on all vendor access points, including VPN connections, remote desktop, and cloud platform accounts
3. Review and restrict vendor permissions to the minimum required for their role
4. Monitor for vendor security incidents by setting up Google Alerts for your critical vendors’ names combined with terms like “breach” or “security incident”
5. Update your incident response plan to include scenarios where a vendor is the source of compromise
6. Discuss supply chain risk with your IT provider and understand what controls they have in place to protect your environment from vendor-related threats

JayTec Solutions helps businesses assess and manage third-party risk through structured vendor evaluation, contractual security requirements, and ongoing monitoring. From initial risk assessments to compliance-ready documentation, a proactive approach to supply chain security protects your business from threats that originate outside your perimeter.

The vendors you trust with your systems and data are an extension of your security posture. Managing that trust deliberately, rather than assuming it, is one of the most important security decisions a business can make.