Supply Chain Cyber Attacks Targeting Professional Services Firms
Professional services firms are increasingly attacked not directly, but through their software vendors, cloud platforms, and sub-contractors. The SolarWinds attack — which compromised the IT management software used by thousands of organisations globally — demonstrated that a single vendor breach can simultaneously expose hundreds of professional services firms. For consultancies, accountancy practices, and advisory firms whose entire service delivery depends on cloud platforms and third-party software, supply chain security is an urgent priority.
NCSC: Supply chain attacks increased 78% in 2023 — professional services firms are frequent secondary targets.
How Supply Chain Attacks Reach Professional Services Firms
Supply chain attacks targeting professional services firms take several forms:
- Software vendor compromise — malicious code inserted into a software update (as in SolarWinds, Kaseya) that is then pushed to all customers
- Sub-contractor access — a sub-contractor or specialist adviser with legitimate access to your systems is compromised, providing attackers with a route in
- Cloud platform vulnerabilities — weaknesses in shared cloud platforms (M365, Salesforce, practice management software) exploited across all customers
- Legal technology compromise — practice management and matter management systems targeted for their access to confidential client data
Vendor Security Assessment for Professional Services
Every third-party tool that accesses your systems or data represents a potential supply chain risk. A basic vendor security programme should cover: security questionnaires for all critical vendors; review of vendor SOC 2 or ISO 27001 certifications; contractual security requirements including breach notification obligations; regular review of vendor access permissions; and an offboarding process for discontinued vendor relationships.
Frequently Asked Questions
How do we assess the security of our software vendors?
Start with a vendor inventory — a complete list of all software and cloud services that access your systems or data. Prioritise vendors by the sensitivity of the data they access and the criticality of the systems they can reach. For high-priority vendors, request ISO 27001 certification, SOC 2 Type II reports, or completed NCSC Cyber Essentials questionnaires. For all vendors, ensure your contracts include breach notification obligations and a right to audit.
Assess your vendor security programme
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.