Businesses have connections to other businesses, who supply them with goods, and whom they supply with goods ‘ both parts and software. If an attacker can breach any link in this chain, he can more easily attack other companies further down the chain. In many cases, a company has its own supply chain while simultaneously being part of the supply chain for other, probably larger, businesses. Every company has a duty to protect its customers from supply chain attacks while simultaneously taking action to prevent being a supply chain victim of its own suppliers.
Source: https://www.helpnetsecurity.com/2021/07/28/sme-supply-chain-attack/