At Nitec, we are fortunate to work with a small set of global suppliers that have excellent IT systems. However, most of our customers are in different boats; they have many suppliers, and those suppliers have varying degrees of IT maturity.
The two main factors that affect your chances of becoming a phishing victim are:
A. Whether or not you have Multi-Factor Authentication (MFA) enabled. This has been discussed at great length in my articles before, so if you aren't aware of it, firstly, welcome to my blog and secondly, have a quick browse around, and you will soon be up to speed.
B. Whether your suppliers have MFA enabled. I'm being trite here, but only a little.
How can you tell if someone has enabled MFA, and would they tell the truth if you asked? Your guess is as good as mine, but in my experience, people who are not using MFA correctly aren't doing much.
At Nitec, we use Security Scorecard to assess our security. Their supplier analysis is less crucial than it might be for some companies, given the size and nature. However, knowing the security profile of your supply chain is one of the most important things you can do to secure yourself.
Over the last year, we have worked with Security Scorecard to address issues they have flagged in our systems. Even over the next few months, we have plans to remove and replace systems that are coming to the end of life. It is fascinating how Security Scorecard can see into applications and spot signs of ageing. Nitec's security score ranks the highest among our peers in NI, across the water in the UK and the bigger pond in the US because we have worked hard to improve it.
The question today is: do you know your score? If you don't but are interested, we can discuss that with you, but better than that, you should consider taking a subscription yourself and analysing your supply chain. The phishing emails that we get about Amazon parcels are one thing. Most of us have learnt to ignore these. However, the ones that come from the hacked mailbox of someone you know in your supply chain are so nuanced that even the very best and most security conscious can get caught out, and the sums of money in our supply chain can be percentage points on our turnover. Losing sums like that can do life-changing damage to a business. The best way to secure yourself is to get a handle on the type of people you are dealing with, and Security Scorecard may give you a different perspective you had not considered before.
If you think about it, this is the core of the Cyber Essentials certification. The idea is that if the government have a public tender and one person in the tender has no security. Everyone loses their data, so they use Cyber Essentials to ensure that people have some element of a shared security baseline to apply for the tender. You may not be able to demand that, but you can at least have the assessment of a third party to help get a handle on who you have chosen to deal with. Of course, you can always share the data with them and encourage them to improve and raise the game for everyone if they fix it. Great. If they don't, you should find a new partner.