Phishing, which is an attempt to deceive a victim so as to gain access to confidential information and/or distribute infected files, is nothing new. But it’s gotten worse.
According to the Verizon Business 2020 Data Breach Investigations Report, phishing was to blame for more than 67% of breaches—but that was before coronavirus. In March, phishing attacks rose 667%, and research has found that users are now three times more likely to click on a phishing link and enter their credentials than before the pandemic. These scams prey on people’s fears and can promise anything from discounted masks to information about stimulus payments.
The problem has also been exacerbated by remote working. Usually, companies use numerous methods to block phishing attacks, such as verifying the sender. Yet with so many employees working from home on their own devices, less controls are in place to guard against these attacks. Moreover, the problem is especially prevalent among small supply chain partners that often lack the necessary resources to implement adequate security measures.
How can you make sure that your suppliers avoid becoming victims of phishing attacks?
1. Assess Your Suppliers
It’s important to evaluate your suppliers in light of work-from-home policies and provide them with remediation plans to make sure that cyber gaps are closed. Doing so can help you pinpoint any problem areas, including susceptibility to phishing attacks. One way to do this is by using Panorays’ set of questions to assess your vendor’s security for working from home.
2. Check Employee Access.
Security teams should assess the amount and critical nature of the data employees have access to. You may have an HR manager interacting with unauthorized entities without having the right training to detect phishing. Therefore, organizations should restrict pathways to critical data to reduce the threat posed by an attacker gaining access to the corporate network.
3. Train and Test Employees.
Consider using a platform that tests employees by sending fake phishing emails to gauge responses. Effort should be focused on groups that are particularly at risk, such as HR, which regularly has access to unknown entities.
4. Enable Multi-Factor Authentication
MFA requires you to authenticate in order to proceed with a transaction. This way, even if your supplier falls prey to a phishing attack that steals a password, you can minimize the risk of a fraudulent transaction, since the attacker may not be able to succeed with the additional authentication factor.
5. Involve Everyone.
Cybersecurity shouldn’t stop at the door of the security team. It takes the participation of an entire company to secure a business, from the CEO to your newest recruit. All employees should undergo cybersecurity training and be taught how to spot phishing attacks. For example, employees should realize that they are more prone to phishing attacks from their phones, since they have less visibility into who sent an email than they do on a computer.
This is the first in a series dedicated to helping organizations guide suppliers with their cybersecurity, in honor of National Cybersecurity Awareness Month.
