3 information security and vendor risk management considerations during this time of crisis
By: Chris Luse, CISO, Proformex
1. Watch out for Business Email Compromise (BEC) attacks from your vendor/partners, as well as your customers.
- During a wide-ranging crisis such as this one, those working from home are particularly targeted by phishing campaigns, with the goal of capturing the credentials that employees use to access cloud-based email and productivity suites (such as Office365 and Gmail/Google Docs), or remote access to systems in general
- Successful credential theft allows the attacker to send email from a “trusted” source because the messages are, in fact, coming from the account which has been compromised
- Be wary of:
- Unexpected requests, particularly those involving a change in payment instructions
- Messages sent outside of normal business hours: attackers using stolen credentials will log in well outside of normal operational hours for the compromised account to help avoid detection
- Unusual or unexpected attachments, which may contain malware
- If you receive an email, or any communication, from what appears to be a trusted source but looks in any way suspicious, do not reply to the original message – reach out to the sender by a different means (a direct phone call is often best) and confirm the message
- Encourage your vendor/partners to enable multi-factor authentication for their cloud-based email and productivity suites (or any resources accessed remotely) to help defend against BEC attacks
Proformex has enabled extensive technical measures to defend against BEC attacks; for example, beyond simply authenticating our employees, remote access to Proformex systems is limited to Proformex-issued and approved devices.
2. Review your vendor/partners’ data protection processes and practices
- Confirm that data protection practices have not changed as their workforce transitions to remote work, or otherwise changed as result of recent events
- For example, during all points of the information lifecycle:
- Is data encrypted in transit?
- Is data encrypted at rest, particularly on portable endpoints, such as laptops and mobile devices, where data might now reside?
Proformex had previously implemented end-to-end encryption of data; this, and all other data protection practices, have not changed as a result of this crisis.
3. Contact your vendor/partners to gauge their expected availability during the crisis
- Confirm that they have engaged their business continuity plans
- Have contingency plans in place for alternatives to critical services that may not be available due to lack of personnel or the ability to work by remote
Proformex has seamlessly engaged our business continuity plan; all employees have transitioned to remote work without any interruption in service or support. Should you have any specific questions regarding our security protocols, please don’t hesitate to reach out and ask!