The digital age has brought radical change to many industries. And, as the world becomes increasingly connected, long and complex supply chains are common for companies of all sizes.
While connectivity has been good for international commerce, it also comes with elevated risk – particularly for the supply chain. Regardless of size or industry, cybersecurity threats have increased dramatically over the years. According to reports, there has been a whopping 742% increase in software supply chain attacks over the past three years. Phishing campaigns, identity theft, email-based impersonation attacks, etc. … are among methods that have been all too successful, with often devastating effects on victim companies and individuals. Since large quantities of money and sensitive information travel along the supply chain, this is not surprising.
Best Practices For Security
While the threat of supply chain attacks is growing, there are basic steps that businesses can take now to mitigate risk. The key is to apply security measures across the entire supply chain and to regularly evaluate and refine them to ensure they remain effective.
The following are basic actions companies should take:
- Ensure that remote admin interfaces used by service providers are secured. If credentials must be used (usernames and passwords) use a password manager and protect it – preferably with passwordless MFA.
- Establish measurable quality standards and make sure your suppliers adhere to them. Ideally, suppliers themselves should also be required to have proper security measures in place.
- Ensure that only relevant parties have access to sensitive information.
- Ensure that remote interfaces and security credentials used by service providers are fully revoked at the end of the supplier-business contract.
- Vet all hardware and software before admitting it into your business network. Once added to the network, both should be continuously monitored for potential security risks.
- Keep software up to date.
- Implement multi-factor authentication (MFA) across devices and platforms. The goal is MFA 100% of the time, for 100% of your users. *
More on Multi-Factor Authentication (MFA)
While all of the above measures are important, MFA is the first step recommended by experts like CISA to secure devices throughout the supply chain. It is also the easiest step.
Not All MFA is Created Equal
While multiple factors of authentication are better than one to help deter cybercriminals, there’s a difference between Traditional MFA and MFA that is Phishing-Resistant.
Unfortunately, cyberattacks targeting traditional MFA have become more frequent. Why? This is usually because one of the (fallback) factors is Phishable – meaning something that a bad actor could guess or gain access to via various methods.
Let’s break it down: What are the “Multiple Factors of Authentication” in MFA?
MFA uses at least two of three types of factors:
- Something you know, such as a password, PIN, or response to a security question or prompt.
- Something you have, like a smartcard, key, physical token, or software certificate.
- Something you have, such as a fingerprint or facial scan.
Back to Phishing-Resistant MFA. In order to achieve it, the MFA cannot include “something you know”, the knowledge factors, or shareable secrets because they are easily phished! As mentioned above, there are multiple ways in which bad actors can obtain these credentials. Eliminating the password or shareable secret drastically reduces risk.
Fortunately, Real Passwordless Phishing-Resistant MFA is not only more secure, but it also simplifies login. Nothing more to remember (or forget) nothing shareable or Phishable, it is also easier to deploy, use and maintain. PLUS, passwordless reduces IT support costs!
Centralized MFA vs. Disparate Systems
The other aspect of MFA to consider is – is it centralized. In other words, does it require a separate ‘key’ or set of credentials for access to each application? Having MFA + Single Sign-On (SSO), for example, allows admins and users access and controls from a single console. This not only vastly improves user experience (and therefore user adoption rate) but also enhances security because companies can ensure MFA is in use and enforced 100% of the time for all users.
The benefits of phishing-resistant passwordless centralized MFA across supply chains are many.
For more information on TraitWare’s Passwordless Phishing-Resistant MFA+SSO, please reach out at any time.