Skip to main content
Extending Email Authentication to Third-Party Vendors

Extending Email Authentication to Third-Party Vendors

Ecosystem NewsEmail Security Insights

Organizations large and small rely on contracted vendors to supply them with goods and services for successful operations. And with that comes more and more digital interconnectivity between a business and its vendors.

While your business may be a paragon of cybersecurity with best practices in place and ever-evolving to address the dynamic threat landscape, the third-party vendors in your supply and service chain may not have the same security stance. With phishing attacks at an all time high, businesses need to ensure their supply chain partners adhere to email security best practices. It’s important to manage third-party partners, whether it’s a vendor for cleaning services, a wholesaler for retail products, or a managed service provider.

As a prime example, let’s go to the Target data breach that occurred as a result of one of its vendors being compromised. This is what happened: an employee of Target’s refrigeration contractor clicked on a phishing email that installed malware on the vendor’s network. In time, the cyber criminals stole login credentials from the vendor and managed to gain access to Target’s network. Needless to say, the refrigeration contractor didn’t have the necessary cybersecurity protections in place to recognize or prevent the phishing incident.

When they gained access to Target’s network, the attackers hacked point-of-sale (POS) terminals and collected tens of millions of credit card records through POS transactions. The damage from the attack via a third-party vendor left Target responsible for a massive clean up operation, from additional security to legal fees and credit monitoring for millions of customers. On the vendor management front, they reviewed and limited vendor network privileges as well as improving POS monitoring systems and training employees on password management.

Organizations of All Sizes Affected

We won’t get into the details of other examples, but Solar Winds, Kaseya and Domino’s Pizza may ring a bell. And we should mention that all supply chain attacks aren’t always on the scale of the massive Target breach. For example, you could own a small bicycle shop and receive an invoice via email from a supposed vendor. If that vendor doesn’t have proper email authentication, like SPF, DKIM, and DMARC, in place, a criminal could exploit the email domain and send a fake invoice and payment link that redirects the funds to their bank account. Without DMARC and its underlying authentication checks, attackers can impersonate legitimate organizations and cause financial losses and erode brand trust.

A 2021 study by Blue Voyant illustrates the risk associated with insecure third-party vendors. Its second annual global survey into third-party cyber risk management found that “Ninety-seven percent of firms surveyed have been negatively impacted by a cybersecurity breach that occurred in their supply chain. Ninety-three percent admitted that they have suffered a direct cybersecurity breach because of weaknesses in their supply chain, and the average number of breaches experienced in the last 12 months grew from 2.7 in 2020 to 3.7 in 2021—a 37% year-over-year increase.

“Auditing or sending questionnaires to your supply chain is important, but not sufficient, to stay ahead of agile, persistent attackers,” Blue Voyant’s CEO says. “Continuous monitoring and quick action against newly discovered critical vulnerabilities is an essential element for effective third-party risk management.”

Phishing continues to be the chosen method of attack for cyber criminals; one way you and the vendors in your supply chain can fight the pervasive dilemma is to enable foundational email authentication as part of your vendor management strategy. Deploying DMARC and having your supply chain vendors do the same is one way everyone can trust the sensitive email messages flowing among you and your business partners.

We’re here to help people understand and deploy DMARC, so let us know if you have any questions about DMARC and email authentication for your vendors.

Want to continue the conversation? Head over to the dmarcian Forum