Supply Chain Cyberattacks: Why Your Business Can Be Hit Without Being the Target

Your software provider gets hit with ransomware on a Tuesday morning. By lunchtime, the tool your team relies on to manage client files is down. You did not do anything wrong. You were not attacked directly. But your business is sitting still, clients are waiting, and you have no idea when it will be back up. This is exactly how supply chain cyberattacks work - and they are happening more often.

A supply chain attack does not target you. It targets a business you depend on - a software vendor, a cloud service provider, a key supplier - and the damage flows downstream to their customers. The Kaseya attack in 2021 is a well-known example: hackers infected one software company's code with ransomware, which then spread to around 1,500 businesses that used their product. None of those businesses were the original target. All of them felt the consequences.

For a professional services business, the exposure is real. You likely rely on a handful of cloud-based tools - practice management software, document storage, accounting platforms - and if any one of those vendors is compromised, you could lose access to client data, miss deadlines, or be unable to operate at all. The risk is not just an IT inconvenience. It is a business continuity problem for professional services.

The way to get ahead of this is to treat your vendors the same way you treat your own systems - with some level of scrutiny. Start by listing every digital service and supplier your business depends on. Then ask a simple question for each one: if this vendor went down for a week, what would that do to us? For the high-dependency ones, find out whether they have basic security practices in place. Your IT support team can help you work through this - sending a security questionnaire to key vendors is a standard part of a supply chain risk review.

Once you know where you are exposed, the next step is reducing the impact if something does go wrong. That means making sure your data is not entirely dependent on a single provider. Microsoft's own terms of service recommend that Microsoft 365 customers keep a separate backup of their data - not because Microsoft expects to fail, but because no service is immune. A separate backup, managed outside the primary platform, means that even if a vendor is hit, your data survives. The same logic applies to critical services: having a backup internet provider, for example, can mean the difference between a rough morning and a lost day. Cloud storage convenience does not guarantee your data is safe.

You should also make sure your own systems are not the weak link. If a compromised vendor pushes out a malicious software update, how quickly would that spread through your network? Regular security assessments and a disciplined approach to software updates matter here. A good assessment will tell you how exposed you actually are - not just to direct attacks, but to anything coming in through unexpected entry points. ITstuffed covers this as part of its cyber security work for Canterbury businesses.

If a breach does occur - whether to you directly or through a vendor - CERT NZ at cert.govt.nz is the right place to report it and get guidance. If client data is involved, the Office of the Privacy Commissioner at privacy.org.nz needs to be notified under the NZ Privacy Act 2020.

Most businesses only think about this after something goes wrong. A 15-minute IT Fit Check with ITstuffed is a good place to start if you want to understand where your supply chain exposure actually sits. You can book one at /booking.