Photo by Stephen Leonardi on Unsplash
For the supply chain, it is to recognize that the threats of yesteryear have taken a back seat to the risks of social engineering campaigns that are proliferating today.
Published studies warn of the 78% increase in cybersecurity attacks and incidents that affected the supply chain (Resilience 360 (DHL Consulting). This finding should not be surprising considering that from cybersecurity analysts and researchers to the FBI they have had to publicly warn of risks in the global supplier ecosystem.
In an attempt to mitigate cyber risk, many organizations, particularly those in the Fortune 500 with broad, global supply chains, have stepped up the way they screen new vendors. Organizations have demanded to know the cybersecurity protocols, processes and procedures of their partners and suppliers. From questionnaires that evaluate firewall policies, compliance certifications, and terminal protections, to forms that seek details about in-flight data policies, physical access controls, antivirus protections and more, the depth of the information requested is quite complete, or so it seems.
However, there are a number of questions that are almost always absent from these vendor evaluations, such as What is your human cyber risk score? How do you ensure the right level of cyber awareness for your employees? What is your email security strategy? The lack of attention to human cyber risk and email security is puzzling when you consider that nine out of 10 cyberattacks start with an email phishing campaign. It’s even more troubling to understand how attackers have developed their attack strategies to subvert even the best-trained human and technical controls.
Large number of vendors enable thousands of attack vectors
According to CSO, more than 56% of organizations report being the victims of a breach caused by their supplier. This suggests that the motivations behind attacks on the supply chain are well understood.
Simply put, it is infinitely easier for attackers, regardless of their experience and financial backing, to exploit a small or medium vendor with limited cybersecurity safeguards as a means of damaging or disrupting a larger organization than to hack into the larger organization outright.
When neither humans nor technology can stop attacks
Unfortunately, the attackers are smart, and when an industry seems to be gaining traction, they rush to change course. And that is exactly what is happening with today’s supply chain. As traditional attack techniques become more difficult to carry out, attackers have set their sights on the most effective attack vector the world has ever known, email.
In the last two years, a type of email threat has resurfaced that lacks all the identifiers that humans and most technology are trained to search for. Commonly known as business email compromise (BEC), these attacks trick users into taking actions, such as sending a payment or updating a credit card.
These “social engineering” attacks often take advantage of human nature by posing as executives or colleagues within a company. Because there are no malicious attachments or URLs, it is much more difficult for email security to identify and prevent that email from reaching its intended destination.
That said, the end goal is the same – once a recipient responds to the initial email, the door is open for a cybercriminal to send a link to a fake login page, similar to a traditional phishing attack.
Advances have been made to combat these attacks as their popularity and economic impact on businesses increase. The FBI estimates that more than $ 1.7 billion in losses arose from BEC in 2019 alone.
In particular, the use of phishing websites with fake login calls-to-action is gaining popularity due to ease of implementation and return on investment. In fact, Bolster reported more than 800,000 confirmed phishing websites in the first quarter of 2020 alone. Fake login phishing websites are especially problematic for many email security tools that lack visual anomaly detection capabilities to evaluate a fake login page from a legitimate login page in real time.
Reducing risk requires a change in mindset as well as technology
So what is the supply chain supposed to do to reduce risk when attackers plan campaigns specifically designed to avoid detection?
We hope that advances in new tools will improve the level of cybersecurity and ability to deal with the situation, however, in the meantime it is key to maintain the alertness and training of employees throughout the supply chain .
But like anything else, the first step in solving a problem is admitting that it exists . For the supply chain, it is to recognize that the threats of yesteryear have taken a back seat to the risks of social engineering campaigns that are proliferating today. With that recognition, one would expect that questions about human cyber risk are already making their way into vendor security questionnaires. If we want to go a step further, implementing a human cyber risk management tool will be key to ensuring that the entire supply chain follows the same security standard.