Back to Blog
Cybersecurity8 min read

Third-Party Software Breaches Doubled Last Year — and Canadian SMBs Are in the Crosshairs

By Anton Kuznetsov

The attack didn't come through your email. It didn't start with a phishing link or a guessed password. It came through a software update from a vendor you'd trusted for years — a file transfer tool, a remote monitoring agent, a payroll integration.

That is the defining characteristic of a software supply chain attack: it exploits trust. And according to the Verizon 2025 Data Breach Investigations Report, third-party involvement in confirmed breaches doubled from 15% to 30% in a single year — the largest single-year shift in the report's eighteen-year history.

For Canadian SMBs, that number matters. Your security posture is no longer limited to what you control directly. It extends to every software vendor, SaaS platform, managed service provider, and open source library in your stack. The CCCS National Cyber Threat Assessment 2025-2026 is explicit: attacks against digital supply chains will almost certainly continue over the next two years, and vendor concentration — over-reliance on a small number of technology providers — is one of the defining trends shaping Canada's threat landscape.

What a Software Supply Chain Attack Actually Is

A software supply chain attack occurs when a threat actor compromises software before it reaches you — at the vendor, in the build pipeline, or inside an open source package your application depends on.

The attack types vary:

  • Compromised software updates: A threat actor inserts malicious code into a legitimate software release. Your systems install it as part of a routine update. The SolarWinds attack in 2020 followed this pattern; so did the XZ Utils backdoor discovered in 2024, which nearly compromised SSH authentication across Linux distributions globally.
  • Malicious open source packages: Attackers publish packages to npm, PyPI, and other public registries with names designed to mimic legitimate libraries (typosquatting) or with malicious code injected into dependency chains. In 2025 alone, Sonatype identified more than 454,600 new malicious open source packages — bringing the cumulative total to over 1.233 million across major registries, a 75% year-over-year increase.
  • Managed service provider compromise: Threat actors target MSPs and IT service providers to gain access to multiple client environments simultaneously. A single MSP compromise can affect dozens or hundreds of downstream organizations because MSPs typically hold privileged access to client systems.
  • Third-party integration exploitation: SaaS platforms and integrations your organization uses — accounting software, HR systems, document management tools — are attacked directly. When the software provider is breached, attacker access follows the trusted connection into your environment.

What Happened in Canada

The Canadian example most Canadians remember is MOVEit. In May 2023, the CL0P ransomware group exploited a zero-day vulnerability in Progress Software's MOVEit file transfer application. The Nova Scotia provincial government was among the affected organizations. According to CBC News, at least 100,000 current and former government employees had personal data exposed — including social insurance numbers, banking details, home addresses, and health card numbers.

The Nova Scotia Privacy Commissioner's subsequent investigation found that the government did not have reasonable security practices in place before the breach, and that retaining unnecessary records in the system significantly worsened its scope. Nova Scotia was not unique — the MOVEit vulnerability affected more than 2,700 organizations globally, exposing approximately 93.3 million individuals' data.

What made this a supply chain attack — not a direct attack — is that most affected organizations did not misconfigure MOVEit. They were compromised because the software itself had an unpatched vulnerability, and they had no real-time visibility into whether their vendor had applied the fix.

Why the Attack Surface Is Growing

Three trends are expanding the software supply chain attack surface for Canadian SMBs simultaneously.

Open source consumption has exploded. Sonatype's 2026 State of the Software Supply Chain Report found that open source downloads across the four largest registries reached 9.8 trillion in 2025 — a 67% year-over-year increase driven by AI-accelerated development and build automation. More downloads means more exposure to malicious packages. Over 99% of open source malware in 2025 occurred on npm alone.

State-linked actors are actively targeting open source ecosystems. The 2026 Sonatype report attributed a campaign of 234 malicious npm and PyPI packages to the Lazarus Group, the North Korea-affiliated threat actor. The campaign represented a strategic shift from simple credential theft to five-stage payload chains combining droppers, data exfiltration, and persistent remote access.

The CCCS has specifically identified Russian supply chain targeting of Canadian organizations. The CCCS NCTA 2025-2026 notes that Canada is very likely a valuable espionage target for Russian state-sponsored actors including through supply chain compromises, given Canada's NATO membership, support for Ukraine, and Arctic presence. Public and private sector organizations in Canada — not just government — are explicitly identified as vulnerable to global supply chain compromises by Russian cyber threat actors.

What Makes Supply Chain Attacks So Expensive

According to the IBM Cost of a Data Breach Report 2025, supply chain compromise costs $4.91 million USD on average and takes 267 days to identify and contain — the longest detection and containment cycle of any initial attack vector. The global average breach lifecycle across all attack types was 241 days.

The reason for the extended timeline is structural: by the time a supply chain compromise reaches your environment, it has already passed through a trusted relationship. Your endpoint detection tools watch for anomalies, but the malicious code arrived through a signed update from a vendor your systems are configured to trust. Standard detection signatures do not flag it as suspicious.

The extended dwell time translates directly to cost. Every day an attacker remains inside your environment is a day of potential data exfiltration, credential harvesting, and lateral movement toward higher-value systems.

What the CCCS Expects Canadian Organizations to Do

The Canadian Centre for Cyber Security has published two guidance documents specifically addressing this risk.

[ITSAP.00.070 — Cyber supply chain security for small and medium-sized organizations](https://www.cyber.gc.ca/en/guidance/cyber-supply-chain-security-small-medium-sized-organizations-itsap00070) provides SMB-specific guidance on identifying, assessing, and mitigating risks in your software and ICT supply chain. It aligns with the CCCS Baseline Cyber Security Controls (ITSM.10.089), meaning organizations that have completed a baseline security review already have the foundation in place.

[ITSM.10.071 — Protecting your organization from software supply chain threats](https://www.cyber.gc.ca/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071) addresses the technical controls organizations should implement: enhanced network monitoring and logging to detect unusual behaviour from software that has legitimate network access; an incident response plan that covers supply chain compromise scenarios; and regular employee training on software security risks.

In September 2025, the CCCS joined CISA and 19 international partners in publishing A Shared Vision for the Software Bill of Materials (SBOM) for Cybersecurity. An SBOM is a formal list of all software components and their dependencies in an application — the ingredients list for your software stack. The joint guidance encourages organizations to begin requiring SBOMs from software vendors and incorporating SBOM review into procurement decisions. For organizations running custom-built applications, generating an SBOM is a foundational step in understanding your actual exposure.

Five Practical Controls for Canadian SMBs

These controls address the most common supply chain attack vectors without requiring a dedicated security team to implement.

1. Maintain a software inventory. You cannot manage what you do not know. Document every software application, SaaS platform, and integration your organization uses — including the vendor name, what data the integration accesses, and when it was last reviewed. A software inventory is the prerequisite for every downstream supply chain security practice.

2. Apply vendor security scrutiny proportional to access. Vendors that hold privileged access to your network, your data, or your systems deserve more scrutiny than a signed contract provides. Before onboarding a new vendor with elevated access, ask for a SOC 2 Type 2 report, cyber insurance certificate, or evidence of a recent penetration test. Not every vendor will have all three, but the question signals that you evaluate supply chain security in your procurement process.

3. Apply patches rapidly — especially for internet-facing software. The MOVEit breach was exploited before most organizations were aware a vulnerability existed. Progress Software published the patch within days; organizations that applied it quickly limited their exposure. For software with internet-facing components, a 72-hour patch cycle is the practical standard. The CCCS baseline controls (ITSM.10.089) identify patch management as a foundational control.

4. Enable network monitoring to detect anomalous outbound traffic. Supply chain implants frequently exfiltrate data by making outbound connections to attacker-controlled infrastructure. Standard security logs capture this if logging is enabled and retained. Verify that your cloud environment and endpoint tools are generating logs — and that either alerts are configured for anomalous outbound connections, or someone is reviewing them regularly.

5. Include supply chain breach scenarios in your incident response plan. Most SMBs that have an incident response plan have not tested it against a supply chain compromise, where the breach vector is a trusted vendor's software rather than a direct intrusion. A tabletop exercise starting with "your accounting software vendor just disclosed a breach — what do you do?" will surface gaps in your response workflow before an actual event does.

The Regulatory Signal: Bill C-8

Bill C-8 — Canada's reintroduction of the Critical Cyber Systems Protection Act (formerly Bill C-26) — was before the Standing Committee on Public Safety and National Security as of early 2026. While the CCSPA's mandatory supply chain risk management requirements currently apply to designated critical infrastructure sectors (telecommunications, finance, energy, transportation), the legislation signals the direction of regulatory expectations for all Canadian organizations doing business within those sectors.

For SMBs in the supply chain of regulated industries — a software vendor serving a Canadian bank, a managed service provider supporting a telecom, a logistics firm serving federally regulated transportation — the regulatory pressure to demonstrate supply chain security controls is already arriving through contract requirements and procurement questionnaires, ahead of final CCSPA rules.

The controls in the CCCS guidance documents above are not novel requirements: they are the baseline practices that regulators, insurers, and enterprise customers are increasingly asking suppliers to demonstrate. Starting that work now reduces friction in every commercial relationship downstream.


Sources


Cloud Forces' Cybersecurity services help Canadian SMBs build vendor security assessment programs, implement the CCCS supply chain security controls from ITSAP.00.070, and establish the monitoring and incident response capabilities that reduce supply chain breach detection time. If you're unsure whether your current vendor list has been assessed for supply chain risk, book a free consultation to start with what you know — and identify what you don't.

Anton Kuznetsov
Founder & Principal Engineer

Anton Kuznetsov is the founder and principal engineer of Cloud Forces, the Toronto firm he started in 2018 to make custom software and AI practical and affordable for Canadian SMEs. He works hands-on across application development, cloud architecture, and the production systems Cloud Forces runs for its clients.

Ready to bring AI to your business?

Book a free AI Readiness Consultation — no commitment required.

Book Free Consultation