Supply chain requirements: a change is coming

November 21, 2024 | Cybersecurity , sendmarc
Elliot Wilkie

Written by
Elliot Wilkie

A few weeks ago, I attended a very interesting event in Manchester where I had the incredible opportunity to speak to CISOs, CTOs and senior people in Technical/Security from a range of Enterprise and Public Sector organisations. From the conversations I was having, there was one clear topic of conversation – Supply Chain.

In recent years, there has been an increase of 600% of supply chain attacks[1], meaning supply Enterprise and Public Sector organisations are recognising this threat and are now starting to enforce stricter requirements on their suppliers. In short, the need for their suppliers to have DMARC in place is increasing.

The importance of DMARC

In my last blog, I covered what DMARC is, so I won’t go into too much detail here. But for those who want a refresher, DMARC is a vital email authentication protocol designed to protect email domains from spoofing attacks, phishing, email interception and helps ensure email deliverability. Being the decision maker for when SPF and DKIM fails, DMARC is essentially the ‘final say’ in where your email goes.

Public sector mandates

Recognising the increasing sophistication of cyber threats, public sector and enterprise organisations are turning their attention to their supply chain to protect themselves. The inherent benefit of DMARC is that it protects the outbound emails, meaning that if a spoofing email was sent from a third-party supplier, that email wouldn’t end up in the inbox of the recipient at the public sector/enterprise organisation. Makes sense!

However, their attention doesn’t stop at the third party, they’re also looking at 4th and 5th parties for DMARC due to the nature of where these attacks originate from. If a spoofing email came from the 4th party and was sent to the 3rd party who was then compromised, the risk to the public sector/enterprise organisation has now significantly increased. Not only that, but the average time to detect and contain a supply chain related breach is 290 days[2].

What’s going to happen?

Suppliers have a responsibility to protect their own business from attacks, and public sector/enterprise organisations are conscious that those suppliers are still businesses in their own right. What follows is usually a questionnaire, or some form of risk intelligence to understand where the risk lies …

  • What permissions does the suppliers’ users have in Microsoft?
  • When did the organisation procure the supplier?
  • Has there been a change at the supplier that changes the risk (for better or worse) since first procuring?
  • Does the supplier’s DMARC record protect them from spoofing attacks?

Lack of proper security, especially in regard to DMARC (and by extension SPF and DKIM), could mean a termination of contract, or when the contract is due for renewal, the incumbent supplier is no longer considered. For suppliers hoping to win new business via tender contracts, they would very likely be out of the running in the early stages when their own security is not up to par.

What does this mean for my customers?

I’m sure the above makes it clear, but as your clients’ MSP/MSSP/VAR, you have a responsibility to ensure your clients’ follow security best practices. But without these best practices, your clients are in a very real position of losing out on existing or new revenue streams. If a small organisation has one high-value customer that they lose, that could mean game over for them.

DMARC is the focus of these public sector/enterprise organisations, and they’re making sure their clients are at p=reject. But the DMARC journey isn’t simple. This is where Sendmarc comes in and can guarantee that your clients can get to p=reject within 90 days.

Want to find out how? Book in for a demo.

 

[1] Cyber Security Statistics: 2024 Trends and Data

[2] Cyber Security Statistics: 2024 Trends and Data

Recommended reading

A unique way to get bigger and better clients

In the competitive landscape of managed service providers, standing out is more challenging than ever. ...

The Zensory: building a future-proof cyber mindset

At Brigantia, we always look for innovative ways to enhance value for our partners. Fostering a strong ...

Why Penetration Testing as a Service (PTaaS) is essential for modern cybersecurity.

Cyber threats continually evolve, and keeping up requires a proactive, ongoing approach to security testing. ...