What a supply chain attack actually is
A supply chain attack happens when an attacker compromises a business not by attacking it directly, but by compromising a supplier, partner, or software vendor that the business trusts. The attacker uses that trusted relationship as a bridge into the real target.
The reason this is so effective is simple: your defences are built around your own perimeter. Your firewall, your MFA, your endpoint protection — all of it assumes the threat is coming from outside. A supplier you've authorised to access your systems, or software you've installed from a trusted vendor, is already inside that perimeter.
It doesn't require a sophisticated attacker to exploit a small business this way. It just requires finding a weak link in the chain.
UK cases — what actually happened
Marks & Spencer
One of the most disruptive cyber incidents in UK retail history. M&S suffered weeks of operational disruption — online orders suspended, gift cards failing, store systems degraded. Reporting confirmed the initial compromise occurred via a third-party contractor with privileged access to M&S systems. The attacker didn't break through M&S's defences. They walked in through a door that had already been opened for someone else. Estimated financial impact exceeds £300 million.
KNP Logistics
A ransomware attack via a supply chain vulnerability pushed KNP Logistics — one of the UK's largest privately owned logistics groups — into administration. Nearly 730 jobs lost. The business had operated for over 150 years. The attack didn't target KNP directly; it exploited a weakness in connected software used across their supply chain. This is the SME version of the M&S story: a business that survived world wars and recessions, ended by a supply chain cyber attack.
SSP — UK Broker Platform
SSP provides policy administration software used by a significant portion of the UK broker market. When SSP suffered a cyber incident, it wasn't SSP's clients who got hacked — it was SSP's clients who got taken offline. Brokers couldn't access their own policy data, couldn't process renewals, couldn't serve clients. This is the supply chain risk that's specific to brokers: your critical infrastructure isn't yours. It belongs to your software vendor. And if they go down, so do you.
How a supply chain attack unfolds
Target selection — find the weakest supplier
Attackers don't start with you. They map the ecosystem around high-value targets and identify which suppliers have privileged access, trusted software installations, or network connectivity. A small IT support firm serving 50 businesses is a more efficient target than any one of those 50 businesses individually.
Supplier compromise
The supplier is attacked through conventional means — phishing, unpatched vulnerabilities, credential theft. Because the supplier is smaller and less well-resourced, their defences are typically weaker. The attacker establishes persistent access, often sitting quietly for weeks before acting.
Lateral movement to the real target
Using the supplier's legitimate credentials, software update mechanisms, or network access, the attacker moves into the target organisation. Because the access is authorised — the supplier is trusted — this movement often bypasses security controls entirely. Your systems think it's a normal connection from a known partner.
The impact
Ransomware deployment, data exfiltration, or persistent access establishment — the attacker is now inside your network having never directly attacked you. The M&S incident, KNP, the SolarWinds attack that compromised US government agencies — all followed this pattern at different scales.
Why SMEs are disproportionately exposed
Large enterprises have supplier due diligence programmes, third-party risk assessments, and contractual security requirements. Most SMEs have none of these — and rely on implicit trust in their suppliers rather than verified security posture.
The typical SME attack surface through suppliers includes:
- Outsourced IT support — often has remote access to your entire network, frequently a small firm with limited security controls of their own
- Accounting and payroll software — cloud-hosted, regularly updated, direct access to financial data
- Document management and e-signature platforms — handle sensitive client data, often deeply integrated
- Managed print and device suppliers — physical devices on your network that receive remote maintenance
- Website and hosting providers — server access, often with admin credentials stored
- Legal and compliance software — access to client records, correspondence, and sensitive documentation
Most SMEs couldn't list all of these off the top of their head. That's the problem.
Your tech stack is your attack surface
Insurance brokers operate through a web of third-party platforms — policy administration systems, quote engines, document management, client portals, insurer extranet connections. SSP, CDL, Applied Systems, Acturis — each of these represents a supply chain dependency that sits outside your control but inside your risk perimeter.
The FCA has been increasingly clear that operational resilience includes third-party dependencies. SYSC 8 requires firms to manage outsourcing risks — and a software vendor going down counts as an outsourcing failure under the rules, regardless of whether a cyber attack was involved.
Beyond regulatory risk, there's the practical question: if your policy admin system went offline tomorrow, how long could you operate? Most brokers we speak to have never tested that answer. Our Operational Risk Assessment covers third-party dependency mapping as part of the standard scope.
What you can actually do about it
You cannot fully control your suppliers' security. But you can reduce your exposure, limit the blast radius if a supplier is compromised, and ensure you're asking the right questions before granting access.
Map your supplier access — know who has what
Start by listing every third party with access to your systems, network, or data. Remote access credentials, software with admin rights, cloud integrations, API connections. Most SMEs find this list is longer than expected. Each item is a potential supply chain entry point. The NCSC's supply chain security guidance recommends this as the first step — you cannot manage risks you haven't identified.
Apply least privilege to supplier access
Your IT support firm doesn't need access to your finance systems. Your payroll software doesn't need access to your email. Segment supplier access to the minimum required for the relationship to function. If a supplier is compromised, least privilege limits what the attacker can reach through that supplier's credentials. This is a core Cyber Essentials control applied to third-party access — covered in our ORA assessment.
Ask suppliers about their security posture
It's reasonable to ask suppliers with privileged access whether they hold Cyber Essentials certification, how they manage their own access controls, and whether they have cyber insurance. Most won't be offended — it's a professional question. Those who are should prompt further thought about whether that relationship carries acceptable risk. The NCSC publishes a supply chain security collection with guidance on supplier questionnaires.
Keep software updated — including third-party software
Many supply chain attacks exploit vulnerabilities in software you've legitimately installed — accounting packages, CRM systems, document management tools. Keeping these patched closes the known vulnerabilities attackers use as entry points. This is a Cyber Essentials requirement and one of the highest-return controls for supply chain risk.
Ensure you can operate if a key supplier goes offline
The SSP incident is a reminder that supply chain risk isn't just about your data being stolen — it's about your operations being disrupted. Offline backups of critical data, documented manual procedures for key processes, and tested recovery plans are what separate businesses that survive supplier incidents from those that don't. Our Disaster Recovery service is built around exactly this.
Cyber Essentials and supply chain risk
Cyber Essentials doesn't directly certify your suppliers — it certifies your own controls. But achieving CE certification means your own patching, access control, and network boundary controls are verified, which limits the blast radius if a supplier is compromised.
More practically, CE certification is increasingly required by suppliers and clients as a condition of doing business. If your IT support firm holds CE+, you have independent verification that their controls meet a defined standard. That's more useful than a verbal assurance.
Cyber Essentials Plus includes an external vulnerability scan and on-site technical verification — the closest thing to a supply chain security check that's accessible to SMEs at a reasonable cost.
Operational Risk Assessment (ORA)
ORA maps your current control posture across 30 areas including third-party access, patching, access control, and backup resilience — the controls most relevant to supply chain risk. It produces a plain-English report with prioritised actions. If you're a broker, it covers the operational resilience questions the FCA expects you to be asking of yourself.
Start the Free Assessment →Cyber Vitals — passive domain and email security scan
A passive scan of your domain covering SPF, DKIM, DMARC, SSL, open ports, and breach intel. Surfaces the external-facing gaps that make your domain easier to spoof or exploit — relevant to supply chain attacks that use email as an entry vector.
Run a Free Scan →