Stop Doing Business with Cybersecurity Cheapskates


I live in a suburban city in Silicon Valley. Every year, at least one or two homes in my neighborhood get tented for termite fumigation. I've had to do my own home three times in the past 25 years. During that time, I've seen pretty much every house on my street tented at least once except for one a few doors down from me. Also, this particular house doesn't bother to mow their lawn, their driveway is overrun with weeds, and there are enough dead leaves and branches on their roof to make the entire neighborhood a fire hazard.

By now, you're probably wondering what any of this has to do with cybersecurity. I've got security cameras, smoke detectors, CO detectors, motion-activated lights, and a solid fence around my yard. Yet, no matter what I do to protect my own property, my neighbor will continue to be the weakest link in the security of my home. Until my neighbor kills off the termites that make their way from his walls to every house on my block, I'm going to need to keep tenting my house every 8-10 years. My smoke detectors may save my life, but they aren't going to save my home if an inferno starts from the dead leaves on my neighbor's roof.

Your supply chain is a bit like my neighborhood. Some of your suppliers take extreme pride in protecting their data and systems, while some of your suppliers are like my sloppy neighbor. Just as my neighbor's carelessness causes undue risk to my property, some of your suppliers place your business at risk.

Business Email Compromise schemes involving a compromised email account at a business partner have increased 2,300% since 2015. An ATO-based BEC attack begins when one of your suppliers has one of their corporate email accounts compromised, usually via phishing.

The attacker monitors your supplier's email communications for outgoing invoices. At this point, the attacker will either modify the invoice, changing the payment account details, or will send a follow-up email explaining that the first invoice should be ignored as it contained the wrong payment details. Eventually your angry supplier will be demanding payment, and the finger-pointing begins. Even if your supplier accepts responsibility, you'll spend many frustrating hours trying to resolve the issue. Worse, your email hygiene solution is unlikely to stop an email containing a crypted sandbox-aware weaponized document if that document is sent from a trusted business contact's compromised email account. Soon the invoices you send to your customers may be tampered with, and your incoming payments will get diverted to criminals.

I could complain to the city about my neighbor, in fact, my wife has on multiple occasions. Unfortunately, there are things you can't control in life, and my neighbor's behavior is one of those things. When it comes to your supply chain, here's where the analogy breaks down in a good way: You can (and should!) demand your suppliers implement an appropriate level of cybersecurity controls. You are, after all, the customer. Demand that your suppliers use multi-factor authentication on all of their email accounts. Demand that your suppliers use a state-of-the-art email security solution. Demand that your suppliers conduct phishing-awareness training and demand that your suppliers utilize a proven endpoint security solution. And if you see my neighbor, please tell him to clean up his act.

John Wilson
Field CTO

Sustaining Partners