Stay in the chain – steps to protect your domain
Who are your clients? And what about your clients’ clients? Go along the chain far enough, and you’ll hit a government organisation sooner or later.
Even if you don’t work directly with any government agency, your business is probably part of their supply chain. US and UK governments have already mandated that every agency protect their domains with DMARC. In Europe the Digital Operation Resilience Act (DORA) will ensure all suppliers to government agencies take all steps to protect data. APAC won’t be far behind.
Why governments are clamping down on domains
Cyberattacks are one of the biggest threats to business, and over 90% of all successful attacks come in through email – it’s the one place information regularly flows in and out of an organisation.
Getting the basics right can help immensely, minimising any successful attacks and signalling that you’re not a soft target.
The challenge comes when you need to be aware of a whole ecosystem of suppliers and customers. Research suggests that half of all cyberattacks on businesses now get in through the supply chain, which makes sense. Even if your systems are watertight, a chink in the armour of any of these organisations puts you at risk. You’re as strong as the weakest security in your supply chain.
The issue is that very few organisations actually know who’s in their supply chain, what their cybersecurity is like and who has access to sensitive information. If any do map their supply chain, they rarely go beyond their direct suppliers. And, once suppliers are approved, they stay approved – there’s no established process of re-checking cybersecurity procedures and practices.
Even so, governments need those supply chains secured – so they’re making it our problem. If business suppliers want to keep those important contracts, they must implement due diligence practices. Here’s where to start.
Map your suppliers
You can’t secure a supply chain until you understand who’s in there. The next step is identifying which suppliers pose the greatest risk – who has access to valuable or sensitive information? The details to look into are the:
- Services they’re providing
- Types of information they’re processing
- Operational impacts to business if the supplier is compromised
Nail down the subcontractors
You’ll likely have far less visibility over the sub-contractors in your supply chain, so it’s important to reach out to your suppliers. Ask them who is working for them and what level of access they have to your sensitive systems and data. Only in this way can you measure the risk of subcontractors creating a cyber incident for your organisation, whether directly or not.
It’s also important to ask what steps your suppliers have taken to vet their contractors and if they’re bound by the same terms. A formal check-out process for departing subcontractors will also ensure they’re removed from secure systems.
Implement DMARC
When you and your suppliers keep up with security basics, you’ll remove yourself from the pool of easy targets. A simple way to do that is to implement Domain-based Message Authentication, Reporting and Compliance (DMARC).
It’s a revolution in email security, defending against email spoofing, impersonation or Business Email Compromise (BEC) attacks. It’s a basic must-have – the equivalent of locking your office at night – but a recent survey shows that only 30% of ASX-listed organisations have DMARC policies. Just under half of NZ government agencies have no DMARC in place at all. That’s because implementing DMARC can be deceptively complex – and many organisations are put off by the work involved and risks to the smooth running of their company emails. Domain Protection Service from SMX is designed to overcome these issues – our experts follow a proven project flow to get DMARC installed in as little as five weeks.