10 ways to secure supply chains

Emile Abou Saleh, regional director, Middle East & Africa at Proofpoint shares the main steps companies can take to protect themselves from some obvious supply chain email attacks.
Proofpoint, Security, Supply Chain, Cybersecurity

Share

Concern is rising about supply chain security, and it’s time to take steps to defend against potentially devastating email attacks.

It’s every company’s all-too-real nightmare. You receive an email from your shipping company about a delay. After following a link, and logging into their portal, you see that no shipment was scheduled. You think it was a simple mistake and go to the next issue in your in-box. On average, it takes 197 days to detect that the link lead to an infiltration using your stolen credentials.

Learning that your company’s defenses have been breached (resulting in an average loss of $3.86 million per incident) is bad enough, but knowing the attack abused your trust is worse. This is what happens when a vendor or partner is weaponised against you. Unfortunately, this abuse pattern is so common that it is a top concern for most CISOs.

Supply chain cyber threats continue to be prominent risks for organisations globally and in order to prevent them, CIOs must employ proactive and intelligence-driven approaches as threat actors continue to favour creating third-party compromises.  Additionally, as companies don’t operate alone, trusted communication is a foundational business requirement. Even CISOs managing highly secure perimeters are increasingly concerned about a recent 78% increase of supply chain attacks. Furthermore, with an estimated 50% of attacks targeting supply chains, it’s time for static security models to evolve. Regardless of your company’s own security posture, the growing complexity of supply chains is forcing security beyond your borders.

Unfortunately, a growing number of breaches are being attributed to supplier vulnerabilities. Recently, information technology vendors in Saudi Arabia were targeted by a previously undocumented cyber espionage group known as Tortoiseshell. This threat actor was sneaking into the networks of IT service providers through supply chain attacks and its final goal was to steal confidential information from end customers.  With the vast majority of modern business conducted via the Internet, securing email is a key aspect of security.  Furthermore, according to 2019’s Data Breach Investigations Report (DBIR), there is a prevalence of social engineering and phishing attacks, which underscores the need for a people-centric approach to cybersecurity. .

While the security industry has made significant progress thwarting generalised email attack campaigns, more directed business email compromise (BEC) attacks are harder to detect and are increasing in virulence. And since email impersonating a trusted business partner is more likely to trick the target, it’s time to shine more light on the supply chain abuse vector.

Unfortunately, most companies don’t even know who all of their vendors and partners are. Only 35% of companies say that they can identify even their immediate 3rd party vendors, let alone their nth suppliers. Further, deep in the nth level supply chain are SMBs that are prime targets for cybercriminals.

To some degree, though, protection begins at home, and there are some steps companies can take to protect themselves from some obvious supply chain email attacks.

  1. Email Authentication – Authenticate and send email securely to enable partners to verify legitimate email.
  2. Email Verification – Enable inbound email verification to ensure email received from key vendors and partners is legitimate.
  3. Vendor Management – Catalog known vendors and partners, augmented by automated detection of trusted relationships (including “shadow IT” services).
  4. Protect Vulnerable Employees – Identify employees and departments with privileged access to bolster defenses (e.g. lookalike protection, web limitations, stricter quarantines).
  5. 3rd Party Contracts – Update contracts to address security requirements related to email security requirements.
  6. Cloud Protection – Evaluate your company’s use of cloud services and deploy cloud access monitoring and protection.
  7. Effective Off-Boarding – Add processes that address off-boarding to minimise long-term supply chain risk.
  8. Security Awareness Training – Employ security awareness training specifically focused on known suppliers.
  9. Gateway Protection – Configure inbound filtering and data loss prevention to enhance protection against vendor and partner impersonation.
  10. Incident Response Plan – Update your incident response plan to include your trusted supply chain.

Any company concerned about the state of supply chain email security is encouraged to engage their InfoSec and Risk teams to make the necessary plans. Regardless of the effectiveness of current defenses, supply chain security requires orders of magnitude more data and service integration than companies typically deal with on their own. The dynamic nature of modern supply chains mean that the days of simple whitelists, blacklists, and custom routing rules are numbered. The next frontier is to take the defense from your perimeter and apply it to your full set of vendors and partners.

Most Popular