Attacks
Supply chain attack
What is a supply chain attack?
A supply chain attack uses a third party as the route into your business, for example an IT provider with remote access, a software vendor or a tampered update. The attacker breaks into a partner and travels onward into your systems through that partner's access or product.
For a small or medium sized business, the most obvious form is access from outside. Your IT provider holds a remote maintenance connection, the software vendor has a support account in your business system, your accountant exchanges data with you, and a cloud provider holds your records. If one of these companies is attacked, the resulting access to your systems looks like ordinary work, because it travels through a legitimate account. A second form is the hijacked mailbox of a supplier, from which genuine invoices arrive with altered bank details. A third is a tampered vendor update that reaches your machines through the regular distribution channel.
The first step is unglamorous and effective immediately: a list of every access route from outside. Who has access, to what, for what reason, since when and with what protection? Without that list, the question of who could reach your server tonight has no answer. Such an inventory can also surface accounts left over from finished projects that nobody ever switched off.
The conditions attached to those accounts come next. Each individual at the provider receives a personal account with two-factor authentication, a second proof of identity in addition to the password, so that it stays traceable who did the work. Remote access is enabled when needed and closed again afterwards. Access is logged. Where the provider processes personal data on your behalf, Article 28 of the GDPR requires a data processing agreement that also names the security measures in place.
Supply chain security is anchored in law as well. The NIS2 Directive, Directive (EU) 2022/2555, explicitly requires the entities within its scope to address supply chain security and the security of relationships with their direct suppliers and service providers. For a small business the effect is indirect: as a supplier to a covered company, you receive those requirements through contracts, questionnaires and requests for evidence. A business that has documented its own accounts, permissions and backups can answer such questionnaires with proof. The IT Check records exactly these points and documents the remote maintenance routes.
Recording external access and remote maintenance in the IT Check Gap analysis for NIS2 requirements
All terms in the knowledge base
Note: This entry reflects the state of knowledge to the best of our understanding and serves as general orientation. It is not legal advice. What counts is always the version currently in force at the responsible body, for example dsb.gv.at, nis.gv.at or enisa.europa.eu.
From the term to practice
Where does your business actually stand?
The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.