A lot of companies have invested time and money in better cybersecurity through stronger authentication, keeping computers up to date and providing awareness training to everyone in the company. If you have done this at your company – congratulations, you have come far! Unfortunately, hackers can hurt you even if your own company has a strong cybersecurity posture; sometimes your supplier is the weakest link.
The key account manager that got hacked
You work in a company that sells machine parts to the construction industry, MotorParts Group. You like your job, and the company feels modern, having invested in technologies allowing you to work from anywhere, anytime. You also have great cybersecurity, with two-factor authentication everywhere, and an IT department that keeps your gear up to date and safe to use. One of the things you do at work, is maintain relationships with suppliers and negotiate deals for buying machine parts from producers. One of the companies you deal with is GiantCorp Inc. You especially enjoy the contact you have with them, Mr. Smith working as the “key account manager” at that company is a nice guy, easy to deal with, and knows how to reach a reasonable deal. You discuss with him on email on a weekly basis. This supplier has never caused a problem.
One day you receive an email from Mr. Smith, where he says that they are in the middle of changing their banking and ERP systems, and asking to please update the account number for future bills. “OK”, you respond, and do nothing. When the next bill comes, your finance department calls you: “We got this invoice from GiantCorp, it has a new account number, do you know if this is real?”. “Sure, Smith told me about it last week, I just forgot”. Then the accountant transferred € 1.5 million to the wrong account.
What really happened here?
- Mr. Smith received a phishing email that took him to a fake login page and tricked him to give up his password
- He noticed it didn’t work and that the page looked a bit weird, but didn’t really know what to do about it. Then he thought nothing more of it.
- The following month, all of Mr. Smith’s customers stopped paying their bills. Or so it seemed.
- The hackers had used access to Mr. Smith’s email to communicate with all his key contacts. Then they had used the same username and password to log into the invoicing program used by GiantCorp and changed the account number on the invoices sent to Mr Smith’s customers.
Is this a cyberattack? Yes, it is. Was the purpose data theft? No, the purpose was to steal money. Note that this attack stole money from MotorParts Group and they had no vulnerabilities to speak of in their IT systems, and their staff was well aware of social engineering threats, the accountant was even suspicious of the account number change. Even so, they were scammed, because they trusted Mr. Smith – and the company he worked for was not so mature. This is a common problem; the supply chain is part of your attack surface but is normally outside your control when it comes to securing technology and training people.
Supply chain security recommendations
- Assess cybersecurity maturity as part of vendor selection. Don’t use vendors that have very poor cybersecurity performance.
- On changes of credit card number, payment processors, account numbers, and similar “close to money” information, ask for confirmation through a separate channel, such as a phone call to make sure.
- Make it part of your requirements to vendors that they follow some basic cybersecurity rules, including giving their employees security awareness training.