Supply chain requirements: a change is coming

November 21, 2024 | Cybersecurity , sendmarc
Elliot Wilkie

Written by
Elliot Wilkie

A few weeks ago, I attended a very interesting event in Manchester where I had the incredible opportunity to speak to CISOs, CTOs and senior people in Technical/Security from a range of Enterprise and Public Sector organisations. From the conversations I was having, there was one clear topic of conversation – Supply Chain.

In recent years, there has been an increase of 600% of supply chain attacks[1], meaning supply Enterprise and Public Sector organisations are recognising this threat and are now starting to enforce stricter requirements on their suppliers. In short, the need for their suppliers to have DMARC in place is increasing.

The importance of DMARC

In my last blog, I covered what DMARC is, so I won’t go into too much detail here. But for those who want a refresher, DMARC is a vital email authentication protocol designed to protect email domains from spoofing attacks, phishing, email interception and helps ensure email deliverability. Being the decision maker for when SPF and DKIM fails, DMARC is essentially the ‘final say’ in where your email goes.

Public sector mandates

Recognising the increasing sophistication of cyber threats, public sector and enterprise organisations are turning their attention to their supply chain to protect themselves. The inherent benefit of DMARC is that it protects the outbound emails, meaning that if a spoofing email was sent from a third-party supplier, that email wouldn’t end up in the inbox of the recipient at the public sector/enterprise organisation. Makes sense!

However, their attention doesn’t stop at the third party, they’re also looking at 4th and 5th parties for DMARC due to the nature of where these attacks originate from. If a spoofing email came from the 4th party and was sent to the 3rd party who was then compromised, the risk to the public sector/enterprise organisation has now significantly increased. Not only that, but the average time to detect and contain a supply chain related breach is 290 days[2].

What’s going to happen?

Suppliers have a responsibility to protect their own business from attacks, and public sector/enterprise organisations are conscious that those suppliers are still businesses in their own right. What follows is usually a questionnaire, or some form of risk intelligence to understand where the risk lies …

  • What permissions does the suppliers’ users have in Microsoft?
  • When did the organisation procure the supplier?
  • Has there been a change at the supplier that changes the risk (for better or worse) since first procuring?
  • Does the supplier’s DMARC record protect them from spoofing attacks?

Lack of proper security, especially in regard to DMARC (and by extension SPF and DKIM), could mean a termination of contract, or when the contract is due for renewal, the incumbent supplier is no longer considered. For suppliers hoping to win new business via tender contracts, they would very likely be out of the running in the early stages when their own security is not up to par.

What does this mean for my customers?

I’m sure the above makes it clear, but as your clients’ MSP/MSSP/VAR, you have a responsibility to ensure your clients’ follow security best practices. But without these best practices, your clients are in a very real position of losing out on existing or new revenue streams. If a small organisation has one high-value customer that they lose, that could mean game over for them.

DMARC is the focus of these public sector/enterprise organisations, and they’re making sure their clients are at p=reject. But the DMARC journey isn’t simple. This is where Sendmarc comes in and can guarantee that your clients can get to p=reject within 90 days.

Want to find out how? Book in for a demo.

 

[1] Cyber Security Statistics: 2024 Trends and Data

[2] Cyber Security Statistics: 2024 Trends and Data

Recommended reading

A year of Sendmarc: 2024 highlights

At the start of 2024, we introduced Sendmarc to the UK channel. As we approach the first anniversary, we ...

Brigantia: A look back over 2024

As 2024 comes to an end, there’s plenty to reflect on over the last 12 months. This year has had many ...

How AI chatbots pass the Turing Test and the cybersecurity implications

In 1950, Alan Turing proposed a test to measure a machine's ability to exhibit intelligent behaviour ...