Criminals will typically search for the easiest way into your data systems – is that weak link in your supply chain?
The Financial Times recently highlighted the case of Target, the US retailer, whose database was compromised by a hacker who entered the system using permissions granted to a refrigeration and aircon supplier. The criminal stole details of more than 70 million customers, including the account information for 40 million credit card holders.
If you have tightened up your own act – in terms of defence against cyber attacks – you still have to look at the bigger picture. If you’ve educated every one of your own staff about suspect emails and weak passwords, that’s great – but it only makes it more likely that hackers will choose to attack you through your supply chain.
The companies in your supply chain hold your data. But do they protect it with the same care that you do? Worst case scenario: they hold all of your data with none of your protection.
Send the office manager an email from known office supplier – guaranteed success!
We are seeing a rise in phishing emails coming either from legitimate suppliers or from someone masquerading as a third party supplier.
How do you protect yourself? You have to think like the hacker targeting your own network. For example, how would you target the office manager? You would send them an email from a known office supplier, with an almost guaranteed success. This is easy, particularly with a lot of this information available online, such as on your ‘Our partners’ webpage or LinkedIn profiles.
Originally seen with defence contractors and APT actors targeting companies for government intelligence, this MO is now extending into the commercial world where intellectual property can be lifted from your suppliers.
If your data is held on third party systems, it is just as much at risk as on your own network. You need to consider the cyber defences in place there, as thoroughly as you do your own.
How do you extend cyber security to the third party suppliers that you rely upon?
Well, you can phish them yourself or you can simply check that they have the necessary phishing and security awareness in place. If you need to receive emails from third party suppliers, you should train your own staff to look out for ‘unnatural’ emails. And, if you can extend this training to your suppliers’ staff, this will actually add an extra layer to your defences.
Testing through phishing is generally extremely useful: it enables you to analyse your business-wide susceptibility; it helps to sharpen your incident response processes and encourage users’ reporting of real-world phishing to IT; it tests password policies; and it helps you to understand your supply chain vulnerabilities too.
In this modern world of ubiquitous connectivity and constant communication, your systems are only as strong as the weakest link – and that link may very well be in your supply chain.