Your company may have everything perfectly in order internally, but when a supplier gets hacked, you feel the blow just as hard. That’s exactly what makes a supply chain attack so insidious. In February 2026, the data of more than 6 million Odido customers was stolen through an external customer management system. A month earlier, Starbucks’ employee scheduling and payroll systems were down due to ransomware at their software provider Blue Yonder. In both cases, the cause was not the company itself, but a partner in the chain.
For Flemish companies working with external IT vendors, SaaS platforms and cloud solutions, the message is clear: Your security is only as strong as the weakest link in your supply chain.
How a supply chain attack works: two recent examples
Odido: social engineering through a SaaS platform
The hacker group ShinyHunters penetrated Dutch telecom provider Odido in February 2026. Not through a brute-force attack on the firewall, but through social engineering aimed at customer service employees. Through phishing, the attackers obtained login credentials and then bypassed two-factor authentication (MFA) by posing as internal IT employees over the phone.
The target? A Salesforce environment in which Odido managed customer data. The attackers extracted names, addresses, IBAN numbers, birth dates and even passport and driver’s license numbers from millions of customers. Salesforce had warned about exactly this method of attack shortly before.
Blue Yonder: ransomware with global implications
In November 2024, the ransomware group Termite completely shut down Blue Yonder’s managed services environment. Blue Yonder provides supply chain software to 46 of the 100 largest manufacturers and 76 of the 100 largest retailers in the world.
The consequences were enormous. At Starbucks, managers had to manually track baristas’ hours to ensure correct wage payments. At British supermarkets Morrisons and Sainsbury’s, deliveries of fresh produce were delayed. Termite claimed to have captured 680 GB of data, including e-mail lists and insurance documents.
Why your SME should be awake to this
“We’re not Odido or Starbucks,” you may be thinking. But it’s not about the size of your company. It’s about the software and services you depend on.
Consider the following questions. What CRM system do you use? Where does your accounting system run? Who manages your cloud storage? If one of those vendors gets hacked, what happens to your customer data, your billing or your production process?
The NIS2 legislation, in force in Belgium since October 2024, explicitly recognizes this risk. Article 21 requires organizations to actively manage their supply chain security. That means concrete risk assessments of your suppliers and demonstrable measures to mitigate supply chain risks.
Five steps to strengthen your supply chain security
1. Map your suppliers
List all external parties that have access to your data or systems. Think about your cloud provider, your accounting software, your HR platform and your managed service provider. Many companies underestimate how many vendors have access to sensitive company information.
2. Set security requirements for your suppliers
Ask your suppliers about their security measures. Do they work with MFA? Do they conduct regular pen tests? Do they have an incident response plan? You don’t have to be a security expert to ask these questions, but you should get the answers.
3. Limit access rights
Give vendors access only to what they strictly need. At Odido, attackers had access to millions of customer records through a single system. Good network segmentation and the principle of “least privilege” limit the damage if something does go wrong.
4. Prepare for the worst
100% security does not exist. Make sure you have an incident response plan that includes supplier outages. Starbucks survived the Blue Yonder crisis because they were able to quickly switch to manual processes. Does your company have a plan B if your main software vendor goes down?
5. Have your security tested periodically
A cybersecurity audit not only identifies your own vulnerabilities, but also the risks in your supply chain. An external pen test simulates how an attacker might penetrate through your suppliers.
Supply chain cybersecurity under NIS2: your responsibility grows
The Belgian implementation of NIS2 through the CyberFundamentals (CyFun) framework places additional emphasis on chain security. Essential entities must start conformity assessments by April 2026. But even if your company is not directly covered by NIS2, your customers can ask you about it as part of their own compliance.
Supply chain security is thus not only a technical issue, but also a commercial argument. Companies that can demonstrate that they take their supply chain seriously win the trust of customers and partners.
Protect your business with a targeted approach
At Cyberplan, we help Flemish companies strengthen their security, including the risks in their supply chain. Our ethical hackers test your infrastructure, applications and cloud environments for vulnerabilities before attackers do. After the audit, you receive a clear roadmap in human language, with concrete steps you can implement right away.
Good news for SMEs: through the VLAIO SME portfolio, you will receive up to 45% subsidy on cybersecurity advice and audits (small enterprises) or 35% (medium-sized enterprises).
Book a free consultation and find out how your company protects against supply chain attacks.
Frequently asked questions about supply chain attacks
What is a supply chain attack?
A supply chain attack is a cyber attack in which criminals do not attack your business directly, but penetrate through a supplier, software partner or service provider. Thus, they gain indirect access to your systems or data. It is one of the fastest growing threats in 2026.
Can an SME also be affected by a supply chain attack?
Yes, absolutely. Any organization that uses external software, cloud services or IT partners is at risk. The size of your business does not matter, but the software and services you depend on do.
What does NIS2 require around supply chain security?
NIS2 requires organizations to actively manage cybersecurity risks in their supply chain. That means assessing suppliers, contracting security requirements and reporting incidents within 24 hours. In Belgium, this is made concrete through the CyberFundamentals framework.
How do I test whether my vendors are secure enough?
Ask your vendors about their security certifications (such as ISO 27001 or CyberFundamentals), their policies around MFA and access management, and whether they regularly run pen tests. A cybersecurity audit by an outside party such as Cyberplan can also identify supply chain risks.
What does a cybersecurity audit cost for my SME?
Costs vary based on the size and complexity of your environment. For a company of about 60 employees, a thorough audit comes to about 4,700 euros. Through the VLAIO SME portfolio, you will receive up to 45% subsidy back on this.
