Every chain is only as strong as the weakest link, and the same applies to the security of your supply chain. No business can function without suppliers, from the smallest to the global enterprises, and while you can invest in the best security technologies and practices, your suppliers can leave you with big gaps in that security.
These days suppliers tend to be mostly service suppliers for a business function or process like email, HR, payroll, accountancy, legal or IT. They effectively become an extension of your business, many have access to personal information on your staff as well as critical business information. They may have access to your networks or software via updates, so if they are compromised, you could be too. A malicious insider at a supplier can also cause problems on a massive scale, the same way a corrupt car mechanic at a car dealership could clone your car keys and give them to other criminals along with your address details.
Criminals don’t need to have someone on the inside though, they only need to trick you into believing that they are your supplier. The main way of doing this is to phish the supplier for a user’s email credentials. Once they have done this they will have access to address books and historical emails, allowing them to create near perfect emails, and even call or text you as part of the deception. So, how do you spot a compromised email from a legitimate supplier? Firstly you need to look at the tone of the email. Is it overly polite starting with dear, when they never say this, or is it unusually short and sharp? Next, you need to look at the content. Is there a link to a file sharing platform that you do not normally use? Are the links shortened using something like bit.ly or goo.gl which they have no reason to use? Is there an attachment that needs macros enabled or just has a link to a file sharing platform? Once again these are dubious work practices.
Remember, the responsibility for any data you give to a supplier or cloud service always stays with you. Put in place processes to check the validity of any requests for money or account changes. And don’t rely on the telephone numbers in the signature as they may go straight to the criminal. In the meantime, politely ask your suppliers to use two-factor authentication in their email systems.
Read more practical, no-nonsense advice in Nick Ioannou’s book, A Practical Guide to Cyber Security for Small Businesses.
About the Author:
Nick Ioannou is an IT professional, blogger, author and public speaker on cloud and security issues, with over 20 years’ corporate experience, including 15 years using cloud/hosted software as a service (SaaS) systems.
He started blogging in 2012 on free IT resources (http://nick-ioannou.com) currently with over 400+ posts. Author of Internet Security Fundamentals, contributing author of two books Managing Cybersecurity Risk and the recently published Conquer The Web.
More free security advice and resources and information on how to contact Nick can be found at www.booleanlogical.com