Social Engineering Threats to the Supply Chain During COVID-19
WHY THIS MATTERS
The operational resilience of your supply chain during this period of COVID-19 disruption needs to be stress-tested.
The security of your supply chain is only as secure as your weakest link. What if your new vendor becomes the weakest line?
Those businesses that have closed during the COVID-19 Pandemic may have impacted one or more supply chains. New suppliers may present new cyber risks that did not exist with the original suppliers.
At the same time, hackers searching for new social engineering targets hop into the network of the weakest link, perhaps a new supplier, as an access point into your network. Once inside the door, they have time to explore your operations and communications. Next, the have the ability to pursue social engineering that leads to severe financial impact to your bottom line.
Investments in your organization’s cyber risk management and insurance during the coronavirus makes good business sense because the benefits will carry over in a positive way to your operations after the Pandemic
THE FINANCIAL IMPACT OF COVID-19
The COVID-19 Pandemic has had a profound financial impact on businesses. According to IndustryWeek, the world's supply chains faced a root-to-branch shutdown, unlike any seen in modern peacetime.
Those businesses that remained open shifted their remote work best practices as quickly as possible. At the same time, hackers searching for new targets may find a weakened or substitute supplier, filling in for your original vendor.
Stress-Testing for Supply-Chain Resilience
Some reports illustrate how the operational resilience of your supply chain during this period of COVID-19 disruption needs to be stress-tested.
Maintaining the delicate balance between supply chain costs and risks requires a business to be vigilant. They must understand all risks, including cyber risks, facing their supply chains, and how to mitigate those risks.
The first step is developing a list of critical questions that will help your organization ensure operational resilience despite disruptions to the supply chain:
- Are you conducting operational assessments of your critical third-party vendors and suppliers for your raw materials, your process, your product cycle, your plant maintenance, and your IT?
- Do you know if all third-party vendors in your global supply chain are operating during the COVID-19 Pandemic?
- If they are not operating
- How long can you carry on without them?
- What is our plan B and C both onshore and offshore?
- How will you quickly assess substitute or temporary vendors or suppliers?
- Have you updated your company asset system to account for third-party vendor replacements that you may need based on geographic location in the US or overseas?
- What if the third-party vendor suffers a cyberattack?
- Do they have an incident response plan?
- Can we help them come back to full operation?
- Have you implemented and tested a cyber incident response plan?
- Have you implemented and tested your employees to prevent human error during a cyber threat, such as a phishing email campaign?
What is Meant by "Human Error" in a Cyberattack?
We often hear about "human error," causing a cyber incident. What does that mean?
Referring to human error means that a member of your team, or a third-party supplier, may override or circumvent your cybersecurity measures, unaware of the cyber risk. How?
For example, one cyber risk involves spoof emails (aka phishing emails) sent by cyber thieves to employees who may be unaware of the cyber threat. Even if employees are aware of cyber risks, they may be distracted while working from home or working remotely. They may unwittingly open a link or attachment in a text or email which releases malicious code or malware into your network, allowing fraudsters to explore your network.
Once inside your network, hackers can conduct social engineering, which means that they have time to understand your communications to help them to create authentic-looking imposter emails to use in a funds transfer scam.
Social Engineering Attacks Increasing During COVID-19 Pandemic
Has your organization contemplated the increased social engineering risks this year?
Social engineering hacks have increased exponentially during the COVID-19 Pandemic, which means they need to be understood and risk-managed.
Funds Transfer Fraud (Imposter Emails)
Funds Transfer Fraud (FTF) is a type of cyberattack that manages to redirect seemingly legitimate company payments to cybercriminals. When hackers prey on our inherent sense of trust, they sometimes succeed in their spoof or phishing email campaigns.
FTF (aka Business Email Compromise (BEC)) is a significant business for cybercriminals, and without the right protocols in place, companies are vulnerable to sending massive payments (even multiple times) with devastating financial consequences.
According to the FBI's 2019 Internet Crime Report, complaints revealed an uptick in BEC scams by a considerable margin. The FBI found BEC to be the most damaging type of cybercrime in 2019. BEC losses averaged $75,000 per complaint, phishing, smishing, and vishing accounted for $500 per complaint, and ransomware averaged $4,400 per complaint.
Reports indicate that in April 2020, two phishing campaigns and one malware using COVID-19 lures impersonated shipping companies FedEx, DHL, and UPS, as well as US-based medical providers, with malicious attachments.
Furthermore, multiple BEC campaigns involved coronavirus themes, attacking payroll, wire transfer, as well as legal attention themes requesting targets to make fraudulent funds transfers.
Notably, a cyber insurance policy may refer to Social Engineering, FTF, BEC, Invoice Manipulation, Electronic Crime, Computer Fraud, or Financial Fraud. Your cyber insurance broker should conduct a thorough review of cyber insurance policy wording to ensure clarity about this coverage.
Invoice Manipulation (Imposter Emails)
Invoice Manipulation is a more complex and daunting form of FTF. An attacker gains access to a company's email account, typically through phishing, and sends an authentic email to an outside party requesting payment for a fraudulent invoice. Having reviewed correspondence in the hacked email account, attackers will often mimic the sender's behavior to make the request look authentic. When the company follows up for the original invoice payment later, they discover the fraud, but the funds are long gone.
According to the FBI, BEC scams like invoice manipulation accounted for more than $26 million in corporate losses in the last three years.
Most Stand-Alone Cyber Insurance policies have quickly responded to this threat and now provide coverage for invoice manipulation. However, outdated coverage forms and packaged policies might only respond to funds transferred by employees, potentially leaving businesses uninsured.
Your organization's cyber risk management during the Pandemic will carry over in a positive way to your operations after the Pandemic.
The Case for Stand-Alone Cyber Insurance
Your business stands a better chance of recovery with a robust Stand-Alone Cyber Insurance policy that provides coverage to protect your business against cyber-related losses.
- Ransom payments – if you incur cyber extortion-related expenses, such as the cost of hiring a security expert to advise you on how to respond to a threat, negotiating, or making the ransom payment.
- Business interruption – if you lose business income during the cyber event (after a brief waiting period and during a restoration period), including the policyholder's net profits before taxes, and extra expenses incurred during a shutdown of your computer network, including payroll. Additionally, qualified cyber policies may provide enhanced Business Interruption coverage that results from disruptions or cyberattacks against third-party IT Service Providers in supply chains. This enhanced coverage is often referred to as Contingent or Dependent Business Interruption.
- Data recovery or restoration – if you lose programs, software, or data due to damage, disruption, theft, or misuse of your data.
- Incident response team – of you incur costs associated with an incident response plan and the team to support you during a cyber incident.
- Employee training tools and programs – if you are looking to be proactive in loss prevention, such as phishing emails awareness training.
Your organization's residual cyber risk includes your employees, as well as the employees of your third-party vendors, who may be tricked by a phishing email or text, or manipulated via a phone call, jeopardizing your cyber risk management plan.
- Phishing emails and imposter emails succeed when hackers and fraudsters trick employees. From there, you may suffer a financial loss from a ransomware attack, funds transfer fraud, or invoice manipulation.
- Employee phishing email training and cyber risk awareness training have immeasurable value. The solution -- some cyber insurance carriers offer support to their policyholders' efforts to increase employees' cyber threat awareness.
- All supply chain members benefit from conducting test runs of new equipment, tracking software, logistics management tools, and safety measures. Why not do the same for cybersecurity measures? Even better, why not do so with the support of your cyber insurance carrier?
- Your business stands a better chance of not only surviving but thriving after a cyberattack with a dedicated Stand-Alone Cyber Insurance policy suited to your risk tolerance level.
Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to assist you with your Stand-Alone Cyber Insurance needs. We understand the evolving cyber risks, the dynamic cyber insurance market, and the demands of cyber insurance clients.
Contact Cyber Armada today to explore how your company faces potential financial losses from a cyberattack. Contact us at 888.727.6232.
Please watch for our next article with an update on the Cybersecurity Maturity Model Certification (CMMC).