Most companies depend on a variety of external vendors and partners to support their business activities. These interdependent relationships form a complex third-party ecosystem called the supply chain.
Because of its complexity, the supply chain is an attractive target for cybercriminals. In this post, we’ll explore how the supply chain evolved, the risk the supply chain poses today and what companies can do to mitigate it.
The Evolution of the Supply Chain
Historically the term “supply chain” implied one company providing a good or service to another company who, in turn, provided a value-added good or service to another company and so on until a fully realized product is purchased by the final customer. In the modern sense of the term, a company’s supply chain is less linear and more interconnected. This extends beyond typical 3rd parties to all nth parties that are involved. Any business relationships between vendors, service providers, and other corporate partners, is considered part of a company’s trusted supply chain.
The Supply Chain Risk
Unfortunately, a growing number of breaches are being attributed to supplier vulnerabilities. In January 2019, Managed Health Services of Indiana announced that a phishing attack against a transportation vendor resulted in personal data for 31,000 patients being stolen. More recently, Wipro, one of the largest technology service suppliers in the world, was infiltrated in order to attack their customers. Again, the entry point was a phishing scam targeting Wipro employees, whose accounts were then weaponized against retail customers as part of a gift card fraud scheme.
While the security industry has made significant progress thwarting generalized email attack campaigns, more directed impersonation and business email compromise (BEC) attacks are harder to detect and are increasing in virulence. And given that email impersonating a trusted business partner is more likely to trick the target into taking an unauthorized action, it’s time to shine more light on the supply chain as an abuse vector.
To compound matters, most companies don’t even know who all of their vendors and partners are. Only 35% of companies say that they can identify even their immediate 3rd party supply chain, let alone their nth providers. And it’s important to think deeply about not just your big suppliers, but the small and medium-sized businesses (SMBs) as well. Deep in the nth level supply chain are SMBs that are prime targets for cybercriminals.
Devestating losses can happen when a vendor or partner is infiltrated and is then weaponized against you. And unfortunately, this abuse pattern is becoming so common that it now tops the lists of concerns for most CISOs.
How to Fight Back
Securing email communication to effectively defend your company against BEC and EAC attacks—which, according to the FBI, have cost businesses $26B between June 2016 and July 2019—is a key first step to mitigating supply your chain risk. Learn more about how to do it in this eBook.
Subscribe to the Proofpoint Blog