SolarWinds: a supply chain attack explained for managers
What happened with SolarWinds, and why this incident changes the security conversation for companies that do not think of themselves as targets.
In December 2020, one of the largest attacks on corporate infrastructure in recent years came to light. Attackers embedded malicious code in an update to SolarWinds Orion - a monitoring platform used by thousands of organisations, including major US government agencies and technology companies.
The attack went undetected for months. That detail matters more than the scale.
How this differs from a normal breach
Most corporate security incidents are attacks aimed at you. A compromised account, a phishing email to an employee, exploitation of a vulnerability in your own infrastructure. You are the target.
The SolarWinds incident works differently. The target was a software vendor. Its development infrastructure was compromised in a way that a legitimate update - one that customers downloaded and installed themselves, following normal procedures - already contained a malicious component.
From your organisation's perspective, you did everything right: received an update from a trusted vendor, installed it through a standard process. The protection was bypassed not because you violated any rule, but because you trusted the chain.
Why this matters for companies that are "not targets"
The typical executive reaction is "this doesn't apply to us, we're small, there's no reason to attack us directly." For supply chain attacks, that logic does not hold.
If your business uses standard enterprise software - ERP, CRM, monitoring systems, accounting platforms - you are in the same chain. An attack on a widely used tool affects all of its customers simultaneously, regardless of their size or attractiveness as a direct target.
The SolarWinds attack was aimed at government bodies. But the technique itself - compromising a software update process - applies to any enterprise software vendor.
What this changes in practice
Before this incident, the standard security advice for businesses was "update your software regularly." That advice remains correct. But now a layer is added: understanding who makes that software and how.
A few practical questions worth asking about your key vendors:
- Does the vendor publish information about its development security practices - audits, certifications, vulnerability disclosure programmes?
- How will you find out if the vendor has an incident? Do they have a notification channel?
- What access does this vendor's software have to your infrastructure? Is it minimal?
- Can you isolate this vendor's systems from the most critical parts of your infrastructure?
This is not paranoia. It is a normal inventory of dependency chain risk.
What not to do
There is no need to panic and reject all third-party software - that is not realistic. There is no need to create a bureaucratic process for reviewing every update - that would make operations impossible.
What is needed is knowing which vendors have the deepest access to your infrastructure, and giving them proportionate attention. The rule is simple: the deeper a system reaches into your infrastructure, the more it deserves questions about its own security.
SolarWinds is a reminder that trusting a vendor is not the same as understanding their reliability.