The rise of supply chain cyberattacks – how can clients protect themselves?

Vendor risk management is critical

The rise of supply chain cyberattacks – how can clients protect themselves?

Cyber

By Gia Snape

Cybersecurity threats are an ever-evolving menace, and Canadian businesses and non-profits find themselves increasingly in the crosshairs.

With the proliferation of supply chain attacks and the growing reliance on third-party providers, organizations are being forced to rethink their approach to risk management. The 2023 Canadian Cybersecurity Survey reported that a third (34%) of businesses experienced a supply chain attack. 

The data breach involving software provider PowerSchool is the latest major supply-chain cyber incident to impact Canadians. Reports said that the breach, which occurred between Dec. 22 and Dec. 28, affected several school boards in Ontario, as well as in Alberta, Manitoba, and several US states. 

PowerSchool is a cloud-based platform that stores sensitive data for educational institutions across North America, supporting around 18,000 customers worldwide and tracking 60 million K-12 students.

The rise of supply chain cybersecurity events

Aliya Daya (pictured), senior client executive at Acera Insurance, said sophisticated supply chain cyberattacks are one of the top emerging cyber threats Canadian organizations should watch for in 2025.

Supply chain attacks exploit vulnerabilities in interconnected systems, targeting not just primary companies but the web of suppliers, vendors, and service providers they rely on. The consequences are severe, ranging from financial losses to reputational damage and disruptions in operations.

Daya said one of the most alarming aspects of supply chain cyberattacks is their complexity. Threat actors often infiltrate a trusted vendor or service provider to gain indirect access to the systems of larger organizations. This approach allows attackers to bypass many traditional security measures.

In the 2020 SolarWinds breach, for instance, thousands of organizations were compromised through a software provider, highlighting the potential for systemic cyberattacks that disrupt not just a single target, but entire sectors.

“The lack of software updates and the vetting of suppliers and vendors is one of the top vectors for exploitation,” Daya said. “I see this across the board, and most times our service providers are among the most vulnerable.”

Given these challenges, what can businesses do to protect themselves? Daya emphasized implementing a zero-trust cybersecurity architecture. “Enforce strict verification for all users, devices, and connections in their networks,” she said. This approach ensures that no entity, internal or external, is granted access without proper authentication.

Cyber insurance and vendor risk management – more tips for organizations

Incident response planning is a cornerstone of effective cybersecurity. Organizations need to not only develop plans for responding to supply chain attacks but also rehearse them regularly. This preparation can mean the difference between swift containment and catastrophic loss.

Continuous monitoring is equally critical, according to Daya. By vigilantly monitoring for anomalies across their supply chain networks, organizations can catch potential threats early and mitigate their impact.

Cyber insurance, while not a panacea, is an important tool that businesses can leverage. The good news is that coverage options available to small businesses and non-profit entities today are far more diverse than a decade ago.

Daya highlighted how the landscape has shifted, making cyber insurance more accessible. This evolution reflects the growing recognition of the unique challenges faced by smaller organizations in a threat landscape dominated by well-resourced adversaries.

“Small businesses often have limited funds to invest into cyber security, so they are the most vulnerable and oftentimes the lowest hanging fruit for cyber attackers,” Daya said. “The first thing (SMEs should do) is reach out to a cyber insurance broker to have a meaningful conversation about their risk exposure.”

The conversation about cybersecurity often circles back to the same fundamental truths: preparation and vigilance. Vendor risk management, including rigorous security assessments of all suppliers and service providers, is critical for all organizations.

“Implement a zero-trust architecture with strict verification for all users, devices, and network connections,” Daya said. “Incident response planning is also crucial – develop and rehearse plans for responding to supply chain attacks.

“Continuous monitoring is essential; always watch for anomalies across your supply chain. Additionally, collaborate with industry peers, regulators, or security experts to stay informed and improve security standards.”

Do you have something to say about this story? Please share a comment below.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!