Supply chains are relationships of convenience and mutual benefit for businesses working together. But, today, those relationships have turned those businesses into prime targets for cybercriminals. Their M.O. is simple: breach one company in a supply chain, with fewer IT resources and less awareness about cybersecurity needs, then use that breach to pivot to even bigger fish in the same pond. Cybercriminals will target enterprises that might be more prepared against an attack on their front door, but are less suspecting of one coming through the backdoor, under the guise of one of their partners.
Considering 70 percent of cyberattacks involve a secondary target after the first strike, it's easy to see how a breach at one supply chain partner can quickly bleed over to several others – without anyone realizing, until it's too late.
The #1 attack vector: Email
Over 90 percent of cyberattacks happen through email. From just September to November 2015, more than half of organizations reported an increase in whaling attacks: malicious emails that deceive recipients into opening them by mimicking the credentials of executives like a CEO or CFO. This is even more problematic in the supply chain where whaling attackers can pretend to be an executive at a company's partner to ask for access, making it easier for the thief to pass themselves off as genuine.
...the key to cybersecurity in the supply chain is to build a human firewall.
Email is the number one attack vector for businesses today. But, many alternatives proposed for managing email threats – Web portals, email encryption or file sharing – are too cumbersome for employees to bother with. After all, email is so ubiquitous because it's quick and easy to use. Having additional hoops to jump through makes sharing information a chore, and one that supply chain partners could ignore in favor of email, in spite of its vulnerabilities.
Shielding yourself with a human firewall
You don't want to deny employees email as a communications tool. But, you also have to ensure everyone is keenly aware of the threats surrounding that channel. That's why the key to cybersecurity in the supply chain is to build a human firewall. It encompasses the best of both worlds: employees throughout the supply chain continue to use email, but share a foundation of awareness and information about the telltale signs of an email attack, like spear phishing or whaling. The more everyone is informed about what email attacks truly look like, the less likely they are to fall for one.
Deploying a sophisticated, multi-layered email security setup is also crucial for defending against email vulnerabilities. Building in that level of redundancy provides greater oversight of the messages, links, attachments or spoofed domain names that may be coming into someone's inbox – and flags them before an unsuspecting employee opens a Pandora's Box on the whole supply chain.
A supply chain is only as strong as its weakest link
Supply chain partners don't just share the same successes, they share the same risks, too. Any company within a supply chain has to prioritize and implement their own cybersecurity protections. Whether it's building up a human firewall of awareness or integrating a multi-layered email security system to catch threats before they come through the door, the more one partner reduces their vulnerability, the more it protects everyone in the supply chain. Otherwise, everyone is at risk, regardless of what other steps they may be taking individually.
Don't be the weak link in your supply chain. Protect yourself the way you expect and need your partners to protect themselves.
Ed Jennings is chief operating officer at Mimecast, a cloud-based email management firm.