Supply Chain Attacks on the rise

Enterprise Security Practices for Exchange and Office365

Our level of protection is as good as that of our partners and suppliers

The last couple of years, and especially 2021, have been marked by several huge attacks on service providers and vendors. Some of the most notable ones are the attacks on SolarWinds, Mimecast and Kaseya. Year 2021 has been extremely productive for supply chain attackers – over 66% of the confirmed attacks for the last 2 years were executed in 2021, which is a 100% growth compared to 2020.

In Wikipedia you will find the following definition of a supply chain attack: “a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.” This formulation is a bit general, so let’s try to put it more precisely.

Whitelisting as security vulnerability

Businesses around the world depend on their ability to interact with each other, partner, provide goods and services. In the last couple of decades, most of these processes run over digital channels. As most security constrains could affect business processes, companies often prefer to trust/whitelist their closest partners/suppliers/customers to loosen security measures for them. However, whitelisting can result in a certain exposure that is unpredictable, out of our control and extremely difficult to manage.

Breaching software vendors and service providers is becoming increasingly attractive, due to the simple fact, that a successful attack can give cyber criminals access to many customers who “trust” these suppliers/vendors.

A customer shared with us more than 2 years ago: “We implement numerous technologies and processes to ensure our data and assets are secured. But lately, it turns out that our level of protection is just as good as that of our partners and suppliers. And when the company decides we should put them in the trusted/whitelisted category, we are completely blindsided and exposed”.

Keep suppliers in check

There are already several approaches for companies to minimize the risk of breaches through their suppliers. GDPR encourages organizations to ensure that not only they comply with data privacy, but also their suppliers. This is done through a series of evaluations called Vendor Assessments. These are here to stay, and they increasingly include issues that relate not only to personal data, but also to general cyber security measures.

At the same time, more and more companies are exploring how they can apply technological security measures to the so-called trusted/whitelisted partners and suppliers without too much disruption to business processes and flows.

At GBS, we have developed an advanced technology that combines the right features and the flexibility to achieve this for your email communication. And yes, it is available for both On-Prem and Office 365 customers.

Author: Pavel Yosifov