What SMEs must know about supply-chain attacks

supply chain attack sme

If a thief wants to enter a house, it’s unlikely they’ll choose to ring the doorbell. They’re going to climb through a half-opened window around the back. And if they’re careful enough, the homeowner is none the wiser.

The same principle applies in the cybersecurity landscape. Supply chain attacks have existed for some time, and are an infamous method of finding cybersecurity vulnerabilities to target seemingly secure businesses. Gartner predicts that by 2025, 45% of organisations globally will experience an attack on their software supply chain. Here’s how they work and what you need to know about them.

What is a supply chain attack?

A supply chain attack is when a cyber criminal exploits a vulnerability in a supply chain. Many businesses today are cybersecurity-savvy. The best prepared will have well-intentioned cybersecurity policies and regulations in place to manage their cybersecurity and keep problems at bay. 

But most businesses don’t operate within silos. Your organisation probably relies on other businesses as part of your supply chain, or you form a part of another supply chain. This creates complexity when managing security credentials. Can you be assured that every business within your supply chain, from a payment processing provider to a manufacturer, is completely secure? 

Most organisations will manage compliance across their people, software, and processes, but this is difficult to extend to other points in the supply chain. This is the exact vulnerability criminals can exploit. 

Want to know more about the risks posed by supply chains? Check out our guide.

Examples of supply chain attacks

1. SolarWinds

No supply chain attack discussion can ignore the SolarWinds supply chain attack. SolarWinds is a major software company that specialises in network and infrastructure monitoring tools. In 2019, threat actors gained unauthorised access to SolarWind’s networks, and in the following months injected malicious code into their software, Orion. Later in 2020, SolarWinds unknowingly sent out hacked code via software updates – installing malicious code onto customer devices that could be used to spy. This infected many significant organisations, from small businesses to government bodies. 

2. Target 

Known as one of the earlier supply chain attacks, Target, a U.S. superstore retailer, was impacted in 2013. Cybercriminals exploited vulnerabilities in the retailer’s point of sale (POS) systems to retrieve 40 million customer credit and debit card information. The cost of this data breach has since cost the business nearly $300 million

3. British Airways

In 2018, British Airways was unknowingly impacted by a code that harvested customer payment data using their website payment page. The code routed credit card information to an external domain. This is known as skimming, when payment data is unknowingly collected during the online purchase checkout process. Magecart is suspected to be responsible for this skimming attack, and approximately 380,000 customers had their personal and financial data stolen. 

SMEs and supply chain attacks

Cybercriminals target large organisations due to the sheer volume of data they can exploit. But small and medium businesses are equally susceptible targets.

More than half (54%) of all U.K.-based SMEs experienced some form of cyber attack in 2022. Cybercriminals know that SMEs are more vulnerable as they might not have rigorous security credentials. Additionally, SMEs are often part of a larger supply chain, making them a great target. 

How to protect your SME from supply chain attacks

Manage your cybersecurity first

Consider your cybersecurity status first. A basic cybersecurity certification, such as Cyber Essentials, will cover everything your business should do to protect itself from cyberattacks. Being certified can reduce cyber risk by up to 98.5%, and can help you with important steps like staff training and long-term cybersecurity support. 

Check your suppliers

Request that your suppliers show evidence of cybersecurity management. A certification can be all they need to remain secure. More high-risk suppliers should have equally risk-resilient cybersecurity measures in place. If they don’t, this should raise your alarm bells.

You should collaborate with every business in your supply chain, and the supply chains you are within, to emphasise the importance of cybersecurity credentials. You can even make cybersecurity part of your contractual agreements, so there’s less chance of a vulnerability in your supply chain.

Implement an early warning system

A supply chain early warning system (EWS) can identify security threats in a supply chain using data. It analyses data and notifies the system administrator to suggest methods of mitigating the threat. An EWS reduces your reliance on human knowledge alone, and instead can autonomously detect threats. As types of attacks become increasingly more complex, this is a great method of covering all bases if it’s an attack you might not have encountered before. 

A supply chain attack could happen to you

But it doesn’t have to be that way. By ensuring your organisation is as secure as possible, and obligating your suppliers to do the same, you’re more likely to deter and mitigate the risk of a supply chain attack against your SME. This way, your business’s figurative back windows are firmly locked, so no burglars can get in – through the front door or the back.

Supply chain CTA 2

4 reasons why hackers attack the supply chain

supply chain hack

You’re a hacker ready to launch an attack. What do you target? 

  • A: A single person or company that’ll get you a sizeable reward, if the attack is successful?
  • B: A supply chain that could get you access to hundreds, if not thousands, of companies and their data, if the attack is successful?

Supply chain attacks increased 633%, by 88,000 instances, in 2022. And it’s easy to see why.

With this increased risk, it’s good to understand what supply chain hacks are, why they happen, and how to protect your business from them as much as possible. 

What are supply chain hacks?

A supply chain hack is a type of cyberattack that targets organisations by exploiting weak links in third-party software, hardware, or services. In these cases, you could have very strong cybersecurity defences but suffer an attack because a supplier’s software has a vulnerability they weren’t aware of. Hackers use this to access your networks and data undetected and cause damage. 

Because these attacks are through legitimate supplier software/hardware, they can be more difficult to spot and stop. In the high-profile SolarWinds attack, it took months for professionals to understand how cyber criminals were gaining unauthorised access to networks and data.  

Why hackers attack supply chains

1. Collateral damage

By accessing a company that provides software or services to other companies, hackers can harm multiple targets in one hit. Instead of putting effort into attacking one company, they could potentially impact hundreds, if not thousands. Take the recent Otka attack as an example. Otka has 14,000 customers, and in one five-day attack, hackers impacted 366 of them. 

This kind of attack doesn’t just cause immediate damage like data loss. It also causes long-term reputational challenges for suppliers. As supply chains rely on trust, customers lose confidence in their suppliers’ abilities to protect themselves, and therefore their customers, from cyber threats. 

2. Kudos 

Hacking is a skill – albeit a dangerous one in the wrong hands. And hackers have egos. If one can successfully infiltrate supply chains, access customer data, install malware, etc., on a large scale and cause widespread damage, they can brag about it. The bigger the attack, the better. 

3. Financial gain

A supply chain is a perfect place for a hacker to compromise cash flow and payment systems between multiple companies to gain access to sensitive financial information. They can divert payments, demand ransom, and leak/sell sensitive data on a large scale. The more money they can make, the more worthwhile the hack is.

4. Disruption and theft

As is the case with other types of cyberattacks, supply chain hacks cause a lot of disruption. Because so much data is available for exploitation in supply chains, cybercriminals attack them to get hold of vast amounts of personal data, intellectual property, and confidential business information. This…

  • severely disrupts and even stops operations
  • causes financial losses
  • damages trust
  • injures brand reputation

Safeguard your business against supply chain hacks

Few companies take steps to formally review risks in their supply chains – around one in ten businesses review the risks posed by their immediate (13%) and wider suppliers (7%). 

You need to work with suppliers and feel confident that they work to the same high standards as you. Supply chain attacks pose a very real threat, but don’t let it get to you. 

There are some simple and affordable ways to give yourself (and make sure your suppliers have) a good amount of protection against threats. 

One way is to get a Cyber Essentials certification. This is a government-backed scheme to help businesses protect themselves in five core areas:

  • Secure configuration
  • Malware protection
  • Network firewalls
  • User access controls
  • Security update management

Applying the five principles to how you work can reduce your cyber risk by 98.5% and give you the confidence and understanding you need to speak to your suppliers about their security practices.

Want to know more about the threat posed by supply chain attacks and learn how to protect your business? Check out our new guide for everything you need to know.

Supply chain CTA

9 signs your business has been hacked and what to do about them


It’s the stuff nightmares are made of. What started as another mundane Monday afternoon has suddenly morphed into one of your worst-case scenarios.  Your business has been hacked.

The scariest part is that you may not even notice. If you’re lucky, you may receive a ransomware notification or a good samaritan might inform you but often the telltale signs of a breach are more insidious. Here’s how to spot and tackle them.

9 warning signs you’ve been hacked –  and what to do about them

Unexpected changes to files 

Many modern businesses allow for organisation-wide access to documents and real-time editing. Think tools like Google Docs or your Microsoft 365 package. Telling the difference between colleagues’ tracked changes on that ten-page report you wrote and more nefarious activity can be tricky. But it’s not impossible. 

Look for revisions outside of what you’d normally expect. For example, document name changes, or files that have been mysteriously deleted. Like fingerprints at a crime scene, all of these could point to a hacker’s presence.

What to do: To keep the hackers at bay, start by changing all company passwords, installing encryption software and double-checking everyone is following your security policy. If the problem persists, consider speaking to an expert.

Spam emails sent from company email accounts 

No one likes spam. It’s annoying and nothing turns off a prospective customer more quickly than a deluge of unwanted emails. But if you suddenly start receiving complaints from customers or unsubscribe numbers start climbing, it’s also a sure sign you’ve been hacked. 

What to do: Keep a close watch on your outgoing emails. It’s likely your marketing team are already tracking emails for key metrics, so ask them to keep an eye out for anything that looks out of place. On an individual level, regularly check the sent folder in your emails for messages that you don’t remember sending or look spammy. 

If you do discover something’s wrong, follow the steps we outlined above for file changes. 

Secure your business today. Get Cyber Essentials certified.

Unusual financial activity

It’s generally known that most hackers are out for one thing: money. So one of the most important places to regularly check is company bank accounts.

Check business statements regularly for unusual withdrawals or payments from your account. If you do spot anything, there’s a very real chance you’ve been hacked. And, remember, cybercriminals won’t necessarily steal large amounts. One of the most successful small-scale hacks of recent years involved a cybercriminal stealing from multiple businesses, a few ill-gotten cents at a time. 

What to do: If you do find irregularities, change passwords for all company accounts, turn on transaction alerts and contact your bank – most will reimburse any stolen funds.

Unwelcome installations

It can be difficult to keep track of the various tools and software everyone within your business has installed. This is particularly true in the frenetic world of an SME or startup.

Nevertheless, there’s a big difference between the tools your people need and unwanted software no one remembers installing. Sometimes this software is completely harmless. We all accidentally install a browser add-on now and then. However, there’s also a chance that if someone doesn’t remember installing something, it’s been added remotely by a cybercriminal.

What to do: The fix for unwelcome installations is a simple, but time-consuming, one. Perform regular checks on the software and toolbars in use on all company devices. And, if you find any applications that look strange or aren’t in use, uninstall them. 

Random pop-ups

Like it’s equally irritating cousin, spam, we all hate pop-ups. We hate them so much that more than 600 million devices (or 11% of all the devices in the world) are currently using an ad blocker.

However, there might be something more to the pop-ups you’re seeing than an annoying sideshow. If you’re getting popups from websites that wouldn’t usually generate them – particularly, reputable ones – it could indicate your system has been compromised. 

What to do: Unfortunately, there’s no quick fix for this problem. The best way to clean up your systems is to manually delete any software or toolbars you haven’t installed yourself (see above). At this point, it’s perfectly acceptable to let out a long sigh. 

Company devices behaving strangely 

When we talk about ‘devices behaving strangely’ it’s important to stress we don’t mean the ‘Wednesday afternoon go-slow’ your laptop experiences from time to time. 

We mean really strange behaviour. For example, your mouse cursor moving of its own free will or random flickering on your monitor. Both of these things could indicate something much more serious is going on.

What to do: If you do notice your device behaving strangely, it’s time to call in the experts. Disconnect your device from the internet, power it down and turn your router off. Although these steps won’t undo the breach, they will at least stop hackers inflicting any damage before you get expert help. 

Internet searches being redirected

We mentioned earlier that most hackers are interested in making money, and stealing isn’t the only way to do it. An easier, far less risky, way for cybercriminals to make a fast buck is to redirect your browser searches somewhere you don’t want to go. By redirecting your searches to another website (often the site owner has no idea the site is being used this way) the hacker gets paid for your clicks. 

What to do: If your internet searches are being redirected then there’s a high chance you’ve also got bogus toolbars and software installed on your device. Simply follow the same process we outlined earlier for software and that should fix things. 

Changes to your security settings

Cybercriminals are clever, but that doesn’t mean they’re above crude tactics. And top of the list of ‘obvious but effective’ hacker tactics is turning firewalls, ad blockers and anti-virus tools off.

Keep a close eye on your security settings. If something is turned off that shouldn’t be, it’s most likely just down to human error. However, it’s well worth switching it back on and seeing what happens. If the same thing happens again, it could mean you’ve been hacked.

What to do: By far the best thing to do is back up any files that aren’t already and do a complete system restore. There’s no telling what has happened without expert help, so the first step should always be a complete reset of any affected devices. 

Confidential data has been leaked

Of all the warning signs on this list, discovering confidential company information has been found in an online data dump is the most obvious. Unfortunately, it’s also very tricky to fix.

What to do: The information is already out there, so your actions need to be more about reputation management and preventing it from happening again, rather than addressing the immediate problem. If the worst should happen, it’s time for a full audit of your security procedures, policies and infrastructure. 

Defence starts with prevention 

It might sound cliched, but the best cure for being hacked really is prevention. Relying on anti-malware tools will only get you so far. The real gains are to be made in ensuring you have clear security protocols that prevent common mistakes, using tools like encryption and two-factor authentication, and checking company devices continually. 

Don’t wait until one of these warning signs appears. Instead, think of cybersecurity as you would office security. The more often you check doors and windows are properly locked and know exactly who has access to the keys, the less likely you are to suffer a break-in. Why should your cybersecurity be any different? 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button