Here’s a scenario that should keep you up at night: your business does everything right. Firewalls? Check. Staff training? Done. Strong passwords and MFA? Absolutely. Then you get breached anyway, because your accounting software vendor got hacked.
Welcome to the world of supply chain cyber attacks. And if you think this only happens to massive corporations, we need to talk.
In 2024 and 2025, a Chinese state-sponsored hacking group called Salt Typhoon infiltrated some of the biggest telecommunications companies on the planet — AT&T, Verizon, T-Mobile, and at least nine others. These aren’t small businesses with outdated firewalls. These are multi-billion-pound enterprises with dedicated security teams numbering in the thousands. And they still got compromised.
The attackers didn’t kick down the front door. They slipped in through the supply chain — exploiting trusted connections between vendors, software providers, and network infrastructure. If that can happen to the world’s largest telcos, what does it mean for your manufacturing firm in Birmingham, your construction company in Leeds, or your engineering outfit in Manchester?
It means supply chain security isn’t optional anymore. It’s survival.
Supply chain attacks have exploded. According to the European Union Agency for Cybersecurity (ENISA), supply chain attacks tripled between 2021 and 2024. The UK’s National Cyber Security Centre (NCSC) has issued repeated warnings specifically targeting SMBs about third-party risks.
Why the surge? Because attackers figured out something clever: why hack 1,000 companies individually when you can hack one vendor that serves all 1,000?
For UK SMBs in manufacturing, construction, and engineering, this is especially dangerous. These industries rely heavily on specialist software, subcontractors, and interconnected systems. Your CAD software provider, your project management platform, your payroll company — each one is a potential entry point. If you’re not already thinking about this, check out our managed cybersecurity services to see how we approach this.
A supply chain attack happens when hackers compromise your business by targeting a third party you trust — a vendor, supplier, software provider, or service partner. Instead of attacking you directly, they attack someone in your supply chain and use that trusted relationship to reach you.
Think of it like this: you’ve locked your front door, barred the windows, and installed an alarm. But you gave your cleaner a key. If someone breaks into the cleaner’s house and steals that key, they walk straight into yours.
Supply chain attacks come in several flavours:
The common thread? You didn’t do anything wrong. Your vendor did. But you pay the price.
This one’s still unfolding as you read this. Salt Typhoon is a Chinese state-sponsored hacking group that infiltrated major US telecoms, including AT&T, Verizon, and T-Mobile. The attackers gained access to call records, text messages, and even wiretap systems used by law enforcement.
How? By exploiting vulnerabilities in network infrastructure equipment — the routers, switches, and systems made by trusted vendors that these telcos relied on. The hackers didn’t need to breach the telcos directly. They went after the technology supply chain.
The FBI described it as the “largest telecommunications hack in US history.” And many of the affected companies didn’t even know they’d been compromised for months.
The attack that put “supply chain” into the mainstream security conversation. Russian hackers compromised SolarWinds’ Orion software — a network monitoring tool used by around 18,000 organisations, including US government agencies and Fortune 500 companies.
The attackers injected malicious code into a routine software update. Every organisation that installed the update unknowingly opened a backdoor into their own network. It was brilliant, terrifying, and a masterclass in why you can’t just trust your vendors blindly.
The Clop ransomware gang exploited a vulnerability in MOVEit Transfer, a popular file transfer tool. Over 2,500 organisations were affected, including the BBC, British Airways, and Boots. Again, these companies weren’t directly hacked. Their file transfer vendor was.
See the pattern? The biggest breaches of the last five years weren’t caused by weak passwords or phishing emails (though those are still problems). They were caused by trusted vendors getting compromised.
“But we’re not AT&T,” you might be thinking. “Why would hackers target us?”
That thinking is exactly why you’re a target. Here’s the reality:
Enough doom and gloom. Here’s what you can actually do about it. These aren’t enterprise-level recommendations that require a six-figure budget. These are practical, SMB-friendly steps you can start implementing this week.
You can’t protect what you can’t see. Map out every third party that has access to your systems, data, or network. This includes:
Create a simple spreadsheet. List the vendor, what access they have, and when that access was last reviewed. You’ll be shocked at how many third parties are plugged into your business.
Before onboarding any new vendor (and when reviewing existing ones), ask basic security questions:
If a vendor can’t answer these questions, that’s a red flag. You wouldn’t hire a builder without checking their references. Don’t hire a software vendor without checking their security.
Every vendor should have only the minimum access they need to do their job. No more. Your HVAC maintenance company doesn’t need access to your file server. Your accounting software doesn’t need admin rights to your entire network.
Review access rights quarterly. Remove access immediately when a vendor relationship ends. This alone would have prevented several high-profile breaches.
You can’t prevent every attack, but you can catch them fast. Network monitoring tools can flag unusual behaviour — like a vendor account suddenly accessing files it’s never touched before, or data being sent to unfamiliar locations. This is where having the right IT support partner makes a massive difference.
At Magnetar, we combine software development expertise with IT support — which means we don’t just monitor your network, we understand how your applications and integrations work at a code level. That’s rare among MSPs, and it gives us a serious edge when detecting supply chain compromises that hide in legitimate software behaviour.
Multi-factor authentication should be non-negotiable — for your team and for any vendor accessing your systems. If a vendor’s credentials get stolen (which is exactly what happens in supply chain attacks), MFA adds another barrier that attackers need to bypass.
It’s not foolproof — Salt Typhoon demonstrated that sophisticated attackers can sometimes work around it — but it stops the vast majority of opportunistic attacks. And most supply chain attacks against SMBs are opportunistic, not state-sponsored.
If one of your vendors gets breached tomorrow, do you know what to do? Who do you call? How do you isolate the affected systems? How do you communicate with your customers?
An incident response plan doesn’t need to be a 50-page document. It needs to answer:
With 89% of issues resolved within the first hour, our team is built for rapid response. When a supply chain incident hits, speed is everything — and that’s something we take seriously.
Your vendor contracts should include security clauses. This isn’t being difficult — it’s being professional. Include requirements like:
If a vendor pushes back on reasonable security requirements, that tells you everything you need to know about how seriously they take this.
Here’s the uncomfortable truth: in 2026, your security is only as strong as the weakest link in your supply chain. You can have the best internal security in the world, but if your payroll provider gets hacked and your employees’ data gets leaked, that’s your problem. Your customers don’t care whose fault it was — they care that their data was exposed.
Salt Typhoon proved that even nation-state-level attackers prefer the supply chain route. SolarWinds proved that a single compromised update can cascade to thousands of organisations. MOVEit proved that even well-known, widely-used software can be the entry point.
The good news? You don’t need to figure this out alone. At Magnetar IT, we work with SMBs across the UK to build layered security that accounts for supply chain risk. Our unique combination of software development and IT support means we understand both the technology and the business impact — and with a 98% customer satisfaction rate, we deliver results our clients can feel. Explore our news and insights for more practical cyber security advice.
Supply chain attacks aren’t going away. They’re getting more sophisticated, more frequent, and they’re moving down-market towards SMBs. The companies that take this seriously now will be the ones still standing when the next big breach hits.
The companies that ignore it? They’ll be the cautionary tales in next year’s blog posts.
Ready to get your supply chain security sorted? Check out our managed cybersecurity services or get in touch for a no-pressure chat about where your business stands. We’ll help you figure out what’s at risk and what to do about it — before someone else figures it out for you.
Date:
Author: Rafael Macedo