Imagine this: Your security team has just completed an extensive zero-trust project. New endpoint protection, MFA everywhere, network segmentation. Everything according to best practice.

Then comes a routine software update from a vendor you have trusted for years. Signed, verified, automatically installed.

Only this update contains a backdoor.

That is exactly what happened with SolarWinds. Around 18,000 organizations installed a compromised update, including U.S. government agencies, Microsoft, Intel, and Cisco. Not because their own security was poor. But because the attack came through a trusted channel.

Supply Chain Security: What it actually means

When we talk about supply chain security, we do not mean container ships or warehouses. We mean everything that comes into your IT environment from outside:

• Software updates from vendors

• SaaS platforms you entrust with your data

• IT service providers with access to your systems

• Open-source libraries in your applications

• Managed service providers that manage your infrastructure

Each of these is a potential entry point. And attackers know it.

The reason is simple: Why would someone try to break through your firewall if they can compromise your software supplier instead, and thereby gain access to thousands of companies at once?

For Swiss SMEs, this is especially relevant. The average IT landscape of a mid-sized company includes dozens of SaaS tools, several IT service providers, cloud providers, and industry-specific software vendors. Each of these relationships is a potential attack surface, yet it is ignored in most security strategies.

A quick reality check: Count in your head how many external vendors have access to your systems. Most IT leaders we ask come up with 10-15. The actual number is often 40+.

The attacks that changed everything

The past few years have seen a series of supply chain attacks that clearly show the scale of the problem. Here are the most important ones:

SolarWinds (December 2020). Russian state actors infiltrated SolarWinds Orion's build process. Through a signed software update, the SUNBURST malware was distributed to 18,000 customers. Around 100 organizations were deeply compromised. The economic damage: several billion dollars. SolarWinds' share price fell by 40%.

Kaseya VSA (July 2021). The REvil ransomware group exploited a vulnerability in the remote management tool Kaseya VSA. Through managed service providers, 1,500 companies were simultaneously infected with ransomware. The Swedish supermarket chain Coop had to close 800 stores. Ransom demand: 70 million dollars.

3CX Desktop App (March 2023). North Korean hackers first compromised a trading software vendor, then used that access to manipulate 3CX's VoIP software. 600,000 customers were affected. What made it notable: it was the first documented cascading supply chain attack, where one attack led to the next.

MOVEit Transfer (May 2023). The Cl0p ransomware group exploited a zero-day vulnerability in the MOVEit file transfer software. More than 2,500 organizations were affected, including the BBC, British Airways, Shell, and various government agencies. Many victims did not even know that their service providers used MOVEit.

Why your current security does not protect you

Here is the problem most security leaders do not want to admit: Traditional security measures are designed to stop attacks from outside. Firewalls, IDS, endpoint protection, all optimized to detect unknown threats.

But a compromised software update? It comes from a trusted sender. It is signed. It travels through a legitimate channel. Your security tools wave it through.

We see this with practically every customer. Perimeter security is often solid. But ask which third parties have access to critical systems... and then it gets quiet.

Three patterns stand out:

No overview of third-party access. Who actually has access to your systems? Which SaaS tools process your data? Which service providers have VPN access or admin rights? In most companies we advise, there is no complete list.

No process for vendor risk assessment. New tools and vendors are selected based on functionality and price. The question "How secure is this vendor?" is, at best, a checkbox at the end.

No visibility into the software supply chain. Which open-source libraries are built into the tools you use? When Log4Shell became known in December 2021, most companies did not know for days whether they were affected. Without a Software Bill of Materials (SBOM), you are blind.

The tricky part: These gaps do not arise from negligence. They arise because supply chain security has been a side issue in classical security frameworks. Only the wave of attacks in recent years has shown that there is a systematic blind spot here.

NIS2 makes supply chain security mandatory

If you have so far thought that supply chain security was optional: NIS2 changes that.

The EU directive NIS2 (2022/2555) explicitly requires in Article 21, paragraph 2(d), "security of the supply chain, including security-related aspects of the relationships between each entity and its direct suppliers or service providers."

For Swiss companies, this means: If you supply EU customers or have subsidiaries in the EU, you are directly or indirectly affected. And even without an EU connection, your EU partners will place supply chain requirements on you.

In addition, there is the EU Cyber Resilience Act (CRA), which imposes an SBOM requirement and security-by-design requirements on manufacturers of software and connected products.

The regulatory direction is clear: supply chain security is becoming a basic requirement, not a nice-to-have.

Why SMEs are particularly affected

Large corporations have their own third-party risk teams, automated vendor assessment platforms, and the bargaining power to enforce audit rights. SMEs do not.

And that is exactly what makes them a target. Not directly, but indirectly. Through the managed service provider that supports 50 small companies at the same time. Through the industry software used by a hundred companies in the same niche. Through the cloud provider on whose major certifications everyone relies.

The Kaseya attack in 2021 illustrated this perfectly: REvil did not attack 1,500 companies individually. They compromised one MSP, and with it all of its customers at once.

For Swiss companies, there is another factor: dependence on international software vendors and cloud providers. If a global SaaS provider is compromised, Swiss companies are in the mix, whether they want to be or not.

Five steps you can take now

The good news: You do not have to solve everything at once. But you do have to start. Here are five pragmatic steps, sorted by impact:

1. Create an inventory of your third parties. It sounds trivial, but it is not. Create a complete list of all vendors with access to your systems, data, or networks. Categorize by criticality: Who has access to critical systems? Who processes sensitive data?

2. Introduce vendor risk assessment. Not as a one-time project, but as a recurring process. Evaluate vendors based on security maturity (certifications, incident history), contractual safeguards (audit rights, SLA for incident response), and degree of dependency.

3. Review contractual safeguards. Do you have audit rights with your critical suppliers? Are there SLAs for security incidents? What happens if a vendor is hacked—who is liable? These questions belong in every contract, not just in the security policy.

4. Build monitoring for your supply chain. Monitor security ratings of your critical vendors. Track CVE notices for software you use. Automate alerts for new vulnerabilities in your software stack.

5. Plan incident response for supply chain scenarios. Your incident response plan should include a scenario: "What do we do if a critical supplier has been compromised?" Who decides on isolation? How quickly can we cut off access?

The next step

Supply chain security is not a project with an end date. It is an ongoing process that evolves with every new vendor relationship and every software update.

But the first step is always the same: know where you stand.

If you do one thing tomorrow morning, do this: Create a list of all third parties with access to your systems. Just the list. You will be surprised how long it is.

We help Swiss companies systematically identify and manage supply chain risks, vendor-neutral and with a focus on business impact rather than compliance checkboxes. Cybersecurity consulting