Is your supply chain exposing your business to cyber risk?

Most companies depend on a variety of external vendors and partners to support their business activities. These interdependent relationships form a complex third-party ecosystem, which can be an attractive target for cybercriminals.

Supply chains are already facing a potentially disastrous 2020 as all of the world’s countries work to stop the spread of Covid-19. But cybersecurity incidents also pose a grave problem for companies across global supply chains as more enterprises adopt digitised management systems.

Last year, information technology vendors in Saudi Arabia were targeted by a previously undocumented cyber espionage group known as Tortoiseshell. This threat actor was sneaking into the networks of IT service providers through supply chain attacks and its final goal was to steal confidential information from end customers.

Learning that your company’s defences have been breached is bad enough, but knowing the attack abused your trust is worse. This is what happens when a vendor or partner is weaponised against you. Unfortunately, most companies don’t even know who their vendors and partners are. Only 35 per cent of companies say that they can identify even their immediate third party vendors, let alone their suppliers further down the chain.

While the security industry has made significant progress in thwarting generalised email attack campaigns, more directed business email compromise (BEC) attacks are harder to detect and are increasing in virulence.

To some degree, though, protection begins at home, and there are some steps companies can take to protect themselves from some obvious supply chain email attacks:

• Secure email communication to effectively defend your company against BEC and EAC attacks (latest FBI figures shows BEC losses at $1.7 bn in 2019)

• Implement email authentication and dynamic imposter detection to get visibility of the security journey your own supply chain is on

• Understand your human attack surface and quantify risk. Identify your most vulnerable employees and deliver targeted awareness training so they become your best line of defence against social engineering attacks

Regardless of the effectiveness of current defences, supply chain security requires more data and service integration than companies typically deal with on their own.

The dynamic nature of modern supply chains mean that the days of simple whitelists, blacklists, and custom routing rules are numbered.

The next frontier is to take the defence from your perimeter and apply it to your full set of vendors and partners.

Emile Abou Saleh is the regional director, Middle East, for Proofpoint