As a journalist covering the cybersecurity business landscape, I’ve closely followed the growing impact of supply chain attacks throughout 2025. These incidents continue to escalate in frequency and complexity, affecting organizations of all sizes across industries. This two-part series brings together insights from leading experts to explore how managed service providers (MSPs) are responding to the evolving threat environment and what strategies are emerging to strengthen supply chain security.
Security is only as strong as your weakest vendor
Many companies that have experienced attacks are reluctant to comment on the record, but supply chain attacks impact everyone, from the mom-and-pop bistro on the corner to sprawling corporations with offices in seven states. One grocery store chain CEO I interviewed described how a vulnerability in a vendor that supplies shopping carts led to a breach that shut down invoicing for six days. “That was a painful lesson. It was like a cancer that kept spreading.”
The interconnected nature of these systems makes defense particularly complex for MSPs. They face an uncomfortable reality: their security is only as strong as their weakest vendor. The threat landscape has evolved beyond traditional perimeter defenses. Attackers now leverage artificial intelligence (AI) to map and probe supplier networks faster than defenders can respond, turning trusted vendor relationships into backdoor entry points.
The stakes couldn’t be higher. When Sweden’s HR platform breach shut down payroll systems for hundreds of municipalities, or when third-party breaches at Air France and KLM exposed customer data, the message was clear: your reputation depends not just on your own security posture, but on every link in your supply chain. For MSPs managing complex client environments, this creates a cascading risk that demands immediate attention.
The challenge extends beyond technology to business continuity. Forward-thinking organizations are elevating supply chain security to boardroom discussions, demanding proof of controls from vendors, and implementing zero-trust models across partner connections. As one security expert noted, “When your supplier gets breached, the world will hold you responsible.”
CI/CD platforms emerge as a new attack surface
Kelli Schwalm, Director of SBOM at RunSafe Security, tells SmarterMSP.com that while the fundamental attack vectors haven’t changed dramatically since 2024, the tactics are evolving. “Repository and package hijacking remain the dominant attack vectors in 2025,” she explains. “What’s new is a noticeable uptick in attackers probing CI/CD platforms, making the build process itself an increasingly attractive target.”
This shift toward targeting development infrastructure represents a sophisticated evolution in supply chain attacks. By compromising the continuous integration and deployment pipelines that modern software development relies on, attackers can inject malicious code at the source rather than trying to breach downstream systems.
Schwalm advocates for a visibility-first approach to defense: “The greatest defense against supply chain attacks targeting CI/CD platforms is understanding your organization’s full exposure to third-party software.” She points to Software Bill of Materials (SBOMs) as the critical tool for achieving this visibility, noting that recent guidance from CISA and the NSA has transformed SBOMs from compliance checkboxes into genuine security assets.
The enhanced SBOM requirements now include licenses, hashes, and generation context. These are the details that provide real operational value. “Adding license information into these proposed SBOM best practices isn’t just a compliance win, but a security win,” Schwalm notes. “Licensing impacts how organizations use and share software. Ignoring it in SBOMs left a blind spot in the software supply chain, and closing that gap is long overdue.”
Why vendor risk is a business priority
Security analyst Sammy Basu frames the issue in stark business terms that resonate with MSP decision-makers. “We’ve been telling clients for years: your supply chain is your biggest blind spot,” he tells SmarterMSP.com. “You can harden your firewalls, patch your servers, and train your employees, but security is only as strong as your weakest link. If a vendor leaves the back door open, the attackers walk right in.”
Basu’s perspective reflects the reality MSPs face daily. They can implement perfect security controls within their own infrastructure but remain vulnerable to vendors and third-party integrations their clients depend on. This creates a particularly challenging dynamic where MSPs must manage risk they don’t directly control.
The financial and reputational consequences are severe if a breach occurs on an MSP’s watch. “When your supplier gets breached, the world will hold you responsible,” Basu explains. “Customers will see it as a failure of your brand, regulators will come knocking on your door, and shareholders will demand answers from your leadership team.” This accountability gap, where organizations bear responsibility for breaches they didn’t cause, is reshaping how security leaders approach vendor management.
Basu advocates for treating supply chain security as a strategic business investment rather than a technical problem. He notes that forward-thinking organizations are “demanding proof of controls from vendors, monitoring supplier security in real time, adopting zero-trust models across partner connections, and budgeting for resilience as a strategic investment.”
Proactive monitoring is no longer optional
The convergence of AI-enabled attacks and increasingly complex supply chains demands a fundamental shift in how MSPs approach security. Traditional reactive measures are insufficient when attackers can leverage artificial intelligence to probe supplier networks and identify vulnerabilities faster than human defenders can respond.
Both experts emphasize the importance of visibility and proactive monitoring. As the threat landscape continues to evolve, MSPs must move beyond hoping their vendors maintain adequate security to actively verifying and monitoring the security posture of their entire supply chain ecosystem.
The message is clear: in 2025, supply chain security isn’t just an IT concern, it’s a business survival issue that demands executive attention and strategic investment.
Photo: patpitchaya / Shutterstock
