Imagine waking up to discover your company has been breached. Hackers accessed your customer data overnight, not through your systems, but via your trusted payroll provider’s third-party connection.
For mid-sized businesses, the average cost of a supply chain breach hit $2.1 million* in 2024, with recovery times averaging 235 days.
That’s enough to cripple a company, which is why your supply chain security deserves your attention.
Here’s your quick read brief:
- Supply chain attacks doubled in 2024, with 6.8 billion records* exposed
- 82%* of CIOs can’t guarantee their suppliers are cyber-secure
- Small and mid-sized businesses are prime targets through vendor relationships
- Practical steps I recommend to protect your business
The State of Supply Chain Security in 2025
Your business interacts with more digital vendors and services today than ever before: your payroll provider, cloud storage solution, email marketing platform, accounting software, etc. Each one connects to your network and processes sensitive data. Any one of your connections is a potential entry point for attackers.
Cybercriminals don’t just target businesses directly. They’re finding easier ways in via your trusted partners. Supply-chain attacks through open-source packages grew by 1,300%* over the past three years. Why such a sharp rise? Attacking one vendor can compromise thousands of businesses at once. Mid-sized businesses make perfect targets too: large enough to have valuable data and with fewer resources for security than enterprise companies.
AI and automation have handed attackers new capabilities too. They can now scan entire vendor networks for weaknesses, create convincing phishing campaigns targeting specific employees, and launch coordinated attacks across multiple entry points. In 2024, medium-sized businesses reported an average of 1,131 attempted attacks* through third-party connections.
Tactics are getting smarter too. Instead of brute force attacks, cybercriminals are playing the long game: building trust, establishing legitimate-looking relationships and waiting for the right moment to strike.
It’s cause for concern all right, but the situation isn’t hopeless and there are measures you can take to minimize risk to your business.
The Thwarted XZ-Utils Attack
The XZ-Utils incident of 2024 is a perfect example of how these new tactics work in practice. XZ-utils is a compression tool used by millions of systems worldwide. Given its vast number of connections to global businesses, it made an attractive target for criminals to first compromise and then gain access to its network connections. The attackers spent months contributing legitimate code improvements and building trust within the open-source project community. Their end game? Slip malicious code into a routine update that would have compromised millions of systems.
The attack failed thanks to careful code review practices. If successful, this attack would have given criminals access to potentially millions of systems, exposing customer data, financial records, and proprietary information. The estimated potential impact? Over $300 million* in damages across affected companies.
If XZ-Utils doesn’t prove the case for robust supply chain procedures I don’t know what does.
How To Secure Your Supply Chain
Building strong supply-chain security starts with knowing who has access to your systems. Here are the steps I recommend you take to review and strengthen your supply-chain security.
1. Map Your Vendor Network
Your first step is mapping out every connection to your business from your software providers to your cleaning service. Think of it as creating a “security family tree” where you can see how each vendor connects to your data and systems.
2. Set Clear Security Standards
Once you know who’s connected, you can set meaningful security standards. These become your baseline for all vendor relationships. Rather than creating a one-size-fits-all policy, rank your vendors based on their access levels. For instance, a payroll provider handling sensitive data needs stricter controls than a website maintenance service.
3. Monitor System Access
Once you know who’s connected to your systems and why, you can begin to actively monitor system traffic. Track how vendors use your systems and watch for unusual activity or requests that can indicate malicious behavior. For example, you’ll want to watch for unusual activity patterns like access attempts outside normal business hours, sudden increases in data transfers, multiple failed login attempts, and changes to system configurations.
4. Build Robust Vendor Agreements
With effective monitoring in place, you can now review and strengthen your vendor contracts. Use what you’ve learned from mapping and monitoring to create clear security requirements. Your vendor agreements should include your security requirements and standards, breach notification timelines, incident response responsibilities, and your right to audit security practices. Also, detail what vendors must do if they identify an issue as well as the consequences of security failures.
5. Test Your Response Plan
Finally, practice your response plan. Run through scenarios with your team and key vendors. What happens if a vendor reports a breach at 3 AM? Who calls who? What systems need to be isolated? These practice runs reveal gaps you can fix before a real incident occurs.
Remember, each of these steps builds on the previous one. You can’t monitor vendors until you know who they are, and you can’t create strong contracts until you understand how vendors use your systems. If you want to review your supply chain but you’re unsure where to start, pick one key vendor relationship and review it using the steps above. Work through your vendor network methodically, focusing on those handling your most sensitive data first.
Securing Your Business Means Securing Your Network
When half of all breaches now start with third-party access, your vendor security can’t be an afterthought. Think of your business network like a neighborhood: your security is affected by everyone you’re connected to. One weak link in your supply chain can undo all your careful internal security work.
Share this newsletter with colleagues who manage vendor relationships if you found it valuable. Building secure business networks is a collective effort, and it starts with awareness.
We’ll Help You Review Your Supply-Chain Security
Want a second opinion on your supply chain security? Let’s talk about practical steps for your business. Contact Sagacent Technologies to discuss your vendor network security.
Glossary of terms:
- Supply Chain Attack: When cybercriminals target your business by compromising one of your vendors or suppliers
- Third-Party Access: When external companies or individuals can use your systems or data
- Vendor Network: All the external companies and services your business relies on
Extra reading cited in the text: