Supply chain attacks: why your software is putting you at risk
You update regularly. You use well-known libraries. You host on a major cloud provider. And yet you are still vulnerable — because attackers have learned to strike exactly where you are least watchful: in the tools you trust.
Attack via the service provider
In the SolarWinds attack of 2020, 18,000 organizations — including US agencies — were compromised because attackers injected malicious code directly into a legitimate software update. Nobody installed anything suspicious. Everyone just ran their regular updates.
The npm problem: millions of dependencies, little control
An average Node.js project has over 1,000 transitive dependencies. Few are actively maintained. In 2023, 18% of npm packages were abandoned. Every abandoned package is a potential entry point via typosquatting or account takeover.
What SMEs can do concretely
No company can audit all dependencies. But: running `npm audit` or `pip-audit` in CI/CD pipelines, Software Composition Analysis for critical services, and a clear list of explicitly approved external services per team cost little and meaningfully reduce risk.
Continue in tree
Security
What someone finds out about your company in 60 seconds
DNS, TLS, open subdomains, missing headers — an attacker needs no hacking tools for this. Just patience and a browser.
Security
The five security mistakes behind 80% of SME incidents
94% of all cyberattacks on SMEs start with phishing or weak credentials. The solution is not expensive — it is consistently ignored.