A Calgary accounting firm had multi-factor authentication, strong passwords, and a reputable antivirus solution. In late 2024, they were still breached — three weeks of quiet data exfiltration before anyone noticed.
The attackers didn’t target the firm. They targeted the firm’s document management software provider. Once inside that vendor, they used the existing trusted connection to access hundreds of client environments without triggering a single alarm.
Nobody picked their lock. Someone handed the attackers a key the firm didn’t know existed.
This is a supply chain attack. And it’s worth understanding, because it changes the question entirely. Most security conversations focus on what your business does — whether your passwords are strong enough, whether your team recognizes phishing emails, whether you have the right software running. Those things matter. But they don’t protect you from a vendor who made a worse decision than you did.
In 2025, 58% of SMB ransomware attacks originated from compromised third-party vendors. Not from weak passwords. Not from employees clicking the wrong link. From tools that had been granted access, passed every vetting check, and then became the entry point anyway.
The exercise that actually moves the needle: list every third-party tool or service with an active connection to your business systems. Your CRM. Your accounting platform. Your document management software. Your IT provider. Your payroll system. For each one, ask — if this vendor were compromised today, what data could an attacker reach through them? And how quickly would you know?
Most business owners haven’t done this. Not because they’re careless — because the industry has spent years talking about threats that walk through the front door, and not enough time talking about the ones that come through the service entrance.
The follow-up question for your IT or managed services provider: what do you do to monitor and vet the third-party tools that have access to our environment? A good answer includes specific controls — regular vendor reviews, least-privilege access policies, monitoring for unusual activity from integrated tools. A vague answer is worth noting.
Security isn’t just what you do. It’s what you trust — and whether those two things are actually aligned. What’s one tool in your business stack that you’ve given access to your systems and honestly haven’t thought about from a security angle? If its something you feel you need to talk through, call or setup an appointment.
