Phishing with supply chains


Is there a weak link in your supply chain? asks James Moore, senior consultant for Phish’d by MWR InfoSecurity

It’s understandable that criminals will usually be looking for the easiest way into your data systems – but has it ever crossed your mind that the weak link may lie within your supply chain?

The Financial Times recently highlighted the case of the US retailer Target whose database was compromised by a hacker who entered the system using permissions that were granted to a refrigeration and aircon supplier. The criminal stole the details of more than 70 million customers, which included the account information for 40 million credit card holders.

If you have straightened up your own act and policies – in terms of defending yourself against cyber attacks – you still have to look at the whole picture. It’s great if you’ve taught every single one of your own staff about suspicious emails and weak passwords – but it only increases the chance that hackers will choose to target and attack you via your supply chain.

You know that the companies in your supply chain hold your data. But do you know whether they protect it with the same care that you do? In the worst-case scenario, they hold all of your data but with none of your protection.

Sending the office manager an email from a known office supplier guarantees success! Lately, we have been seeing an increase in phishing emails that originate either from legitimate suppliers or from someone masquerading as a third party supplier.

With vast amounts of online information available on an organisation’s employees, the most common way to exploit company employees is with a phishing email that tempts their target to click on a link or attachment. These can be anything from promises of deals or offers to emails that claim to be invoices or banking statements.

Phishing assessments against employees have shown that as many as 60-90% of employees are susceptible to these attacks - effectively allowing an attacker to jump right over the traditional security controls that so many organisations are still heavily relying on.

So to protect yourself, you have to think like the hacker. For example, to target the office manager, you would send them an email from a known office supplier, with an almost certain success. This is easy, particularly with a lot of this type of information available online. This MO is now making its way into the commercial world, where intellectual property can be lifted from your suppliers.

If your data is held on third party systems, it is just as much at risk as on your own network. You need to consider their cyber defences as deeply as you do your own.

How do you extend cyber security to the suppliers that you rely upon? Well, you can simply check that they have the essential phishing and security awareness in place. If you have to receive emails from third party suppliers, you should educate your own staff to look out for unusual emails. And, if you can extend this training to your suppliers’ staff, this will actually add an extra layer of protection.

Testing through phishing is extremely useful: it permits you to analyse your business-wide susceptibility; it helps to sharpen your incident response processes and encourage users’ reporting of real-world phishing to IT; it tests password policies; and it helps you to understand your supply chain vulnerabilities too.

When considering cyber security, there tends to be a greater emphasis on the latest technology or programmes, which are constantly evolving and updating, but practical employee security awareness training needs to happen periodically in addition to the traditional awareness training most organisations already use.

Disregarding these crucial elements can prove dangerous, because when you take away the technology element, only people are left to target. In this modern world of omnipresent connectivity and constant communication, your systems are only as strong as the weakest link – and that may very well be in your supply chain.