You’re only as strong as your weakest supplier
By Julian Selz
When you’re exploring a potential new partnership with a vendor, partner or supplier, there are a few key points you likely base your evaluation on. Price point, quality of the product or service, compatibility with your existing processes and systems, and so on. We’re willing to bet, however, that one area that doesn’t come up nearly so often is the security and cyber hygiene of the company itself.
This may be a common oversight, but it’s also a huge mistake, and one that will surely come back to bite you eventually. In the connected world in which we live and do business today, there are more ways than ever for malicious actors to gain access to your company’s inner workings. One of the easiest is to go through your suppliers.
Know Your Supply Chain
How could the company that sells you toilet paper end up being a major security risk to your entire operation? Generally, there are two major ways that this can present a risk to you: When an attacker compromises your supplier directly and when an attacker poses as your supplier to compromise you.
Let’s take a look at the first one: when you give your supplier access to your procurement portal, ERP, or other internal system. What kind of information do you have housed in that system that you wouldn’t want cybercriminals or — often even scarier — your competitors to have access to? Payment information, internal contact details, secret ingredients…the list goes on.
Moreover, attackers very often need little more than a small foothold within a system to compromise that system in a much bigger way. In this way, access to your ERP could potentially result in gaining access to an employee’s workstation, or even an internal server, where attackers can then serve you with ransomware or steal your information with impunity. Even if you spend vast amounts of money each year on security for your organization, it’s likely that a supplier who has fewer resources would not, meaning that all someone has to do to get to you is go through that supplier.
That’s a lot of risk to put in the hands of someone who’s security practices you’ve never vetted or confirmed. Of course, seeking to do so can present its own types of problems. In an ideal world, suppliers would give their customers real-time data on their cyber hygiene. Obviously, however, this is not an ideal world — and unless you’re a seriously heavy-weight company, no supplier is going to disclose their internal security processes (or lack thereof) in order to secure your business.
This is where our tools come in. We believe that analyzing a wide range of company endpoints can provide an accurate proxy for that company’s digital hygiene overall, which is why we designed our solution to let you run surface-level, non-invasive scans over the breadth of your supplier base, letting you know which companies have prioritized security in building their online presence — and which have not.
In general, our tools scan your partner companies across five major vulnerability categories: first-party exposure, third-party exposure, outdated software, business continuity and GDPR compliance. Taken together, each of these five categories can paint a detailed picture of how seriously a company takes its security, thereby granting you greater transparency into your entire supply chain.
We also protect you from accumulation risks — non-vulnerabilities which, when taken on the aggregate, can present a risk to your supply chain as a whole. Let’s say for example that a majority of your suppliers use the same TMS. In the event that a zero-day exploit or ransomware attack were to become known for that specific version, you’d suddenly have a serious exposure across a critical mass of your suppliers, with major implications for your own ability to do business. Our tool gives you the ability to visualize those risks before it’s too late, allowing you to proactively plan for the worst before it ever has a chance to occur.
Of course, data without analysis is just numbers on a page. In order for those numbers to mean something to your business, you’ve got to be able to break them down and analyze them. That’s why we also give you your own personalized, interactive dashboards for your data to allow you to have the most actionable insight and visibility into your cyber supply chain.
Don’t Get Spearphished
So that accounts for the technical side of things. The second half of the equation is human-focused. As everyone who runs a company knows, even in the technology space our business is about relationships as much as it is about tech. The same goes for security.
If you think about where the vast majority of your interactions with your suppliers occur, you’ll probably think of email. It’s kind of the gateway to your entire supply chain. So in addition to letting you scan supplier’s online presence as a proxy for their digital hygiene, CybrQ’s supplier email integration will help you make sure you’re looking after the human vulnerabilities in your supply chain as well. Here’s how it works.
Let’s say that Company A is Company B’s supplier. That means that the two companies are in frequent, legitimate communication. From a psychology perspective, that also means that employees from Company B are more likely to let their guard down when opening emails, attachments, or other information sent over by Company A. It’s just routine, right?
Fortunately, an algorithm doesn’t have those issues. Because we know who’s in your supply chain, we can train our proprietary machine learning classifier to work within the context of that digital supply chain. And that’s exactly what we’ve done.
Our classifiers run silently in the background, checking each message before you even open it and letting you know whenever it spots a red flag or cause for alarm. For example, you may not notice an email that comes in, supposedly from your supplier Max, has actually originated from a slightly different domain than usual. Or that instead of Max@supplier.com, this email actually originated from Max@mail.supplier.com. Maybe it’s a legitimate message from his other account. Or maybe it’s someone trying to steal your data. In either case, your employee now has a chance to make an informed decision about that message rather than being caught unaware.
According to a recent report from IT security company Mimecast, employees are an increasingly important layer of defense for organizations of all types, as rivals, criminals and opportunists seek to undermine supply chain capabilities or infiltrate their targets through less direct means. In other words, security is no longer something that can be solved just by the people in IT (if it ever really was), and just because someone works in procurement or warehousing or sales doesn’t mean that security is not a very real concern for them to be aware of. As enterprises and small businesses alike look for ways to remain competitive while trimming out costs and liabilities, cybersecurity within the supply chain needs to come into increasingly sharper focus.
That’s where we come in. Because as we always say: When you’re trusting your gut to make cybersecurity decisions, you’re either lucky or you’re wrong.