Long one this week, but stick with me - it’s an important one. If you’ve been anywhere near the world of cyber recently, you’ll have noticed one phrase popping up again and again: supply chain attack.

And it’s no coincidence. These attacks are quietly becoming one of the biggest threats to business. They’re sneaky, smart, and incredibly efficient. Why break into one company when you can slip through a trusted partner and hit hundreds in one go??♀️

That’s the power of the modern supply chain. It’s brilliant for productivity, but it’s also become a bit of a hacker’s dream.

The Problem With Trust

We’ve built this world of seamless integrations and “trusted vendors.” Every platform talks to every other platform, every service relies on someone else’s service and that’s exactly what makes it so vulnerable.

When SolarWinds got hit back in 2020, attackers didn’t need to storm the front door of a government network. They just compromised a software update from a trusted vendor… Access granted.

Fast forward to 2023 and the MOVEit breach had organisations from payroll companies to government departments scrambling because one tiny vulnerability in a file transfer tool was all it took. Then there’s 3CX, where the attackers didn’t even bother targeting customers; they poisoned the software build pipeline itself.

And of course, most recently, the Jaguar Land Rover incident showed just how fragile supply chains can be in practice. One supplier outage and production lines stopped. It’s not just about data either, it’s businesses grinding to a halt.

The Red Flags Nobody Wants To See

The problem is that most supply chain risks don’t look dangerous until it’s too late. They hide behind contracts, handshakes, and the dangerous phrase, “We’ve always worked with them.”

Some classic warning signs:

• Vendors who can’t tell you when they last did a security audit.
• Suppliers without MFA or patch management.
• Software updates that don’t get signed or verified.
• Open-source components with zero visibility of who maintains them.
• And my personal favourite: partners who “don’t think they’re a target.”

Spoiler… they are. Everyone in the chain is.

How To Actually Get Ahead Of It

As with most things, there’s no magic fix, but there are better habits. Start with this:

1. Know who’s in your chain & map it properly. Not just your direct suppliers, but who they rely on too. The third and fourth tiers are where things usually fall apart.

2. Tier your risk. Not every supplier needs the same level of scrutiny. Focus on the ones that touch sensitive systems, customer data or anything operationally critical.

3. Expect transparency.  Ask for SBOMs (Software Bills of Materials) and security disclosures. You wouldn’t eat something without knowing what’s in it, right? Same logic applies here.

4. Test your own resilience. Assume a key supplier goes down tomorrow. What happens? Do you have backups, alternatives, manual processes? You’ll learn more in one tabletop exercise than in a year of risk reports.

5. Put it in your contracts. Don’t just talk about cyber due diligence, write it in. Response times, breach notifications, security obligations. If they’re handling your data, they’re handling your risk.

Let’s Be Honest

The reality is, you can do everything right and still get caught out. But what matters is how fast you detect it, how prepared you are to respond, and how transparent you are when things go wrong.

Maybe this is your reminder to check in with your suppliers this week. Ask the awkward questions. Review that contract. Or just finally map out who actually has access to what.

Because in 2025, the companies that know exactly where their weak spots are will be the ones still standing.