A supply chain attack achieves access to a target organisation through a trusted third party — a software vendor, managed service provider, IT supplier, or business partner. The target's own defences may be excellent; the attacker exploits the weaker link in the supply chain instead.
Why Supply Chain Attacks Are Increasing
Compromising one well-positioned supplier provides simultaneous access to dozens or hundreds of their clients. The economics are attractive for attackers. Software update mechanisms, remote management tools, and shared credentials are the most commonly exploited pathways.
Assessing Your Supply Chain Exposure
Start with an inventory: which third parties have access to your systems, what access do they have, and what data can they reach? For each significant vendor, assess: do they enforce MFA on accounts used to access your environment? Are their access credentials unique to your environment or shared across clients? When was their access last reviewed?
Contractual Protections
Contracts with significant technology vendors should include: minimum security control requirements (MFA, patching, breach notification obligations), the right to audit or request security attestations, incident notification timeframes, and liability provisions for breaches originating from the vendor's environment. Many standard vendor contracts include none of these.
Technical Controls
Privileged access management for vendor accounts: just-in-time access that is granted when needed and revoked when not. Network segmentation so vendor access is limited to the systems they manage. Session recording for privileged vendor access to sensitive systems. Separate credentials per vendor rather than shared admin accounts.
Should we require SOC 2 reports from our IT providers?
For IT providers with access to sensitive systems or data, a SOC 2 Type II report provides reasonable assurance that security controls have been operating effectively over a defined period. It is a reasonable ask for any provider with significant access. Smaller providers may not have SOC 2 certification — in that case, a structured security questionnaire and reference checks are the alternative.
