Pratum Blog

Multiple boxes with barcode

A data breach anywhere in a business’ supply chain can quickly cascade through other organizations, shutting down operations and creating significant costs. That means businesses must take an active interest not only in their own information security posture but in the security of companies they rely on throughout the supply chain. Most companies now face outside data security concerns from three directions:

  • Confirming that your partners handle shared data properly. (Think of scenarios where you share engineering drawings, customer profiles, logistics information, records of billable hours, etc.)
  • Verifying that your suppliers are secure enough to reliably service your company.
  • Proving to your customers that they can trust your security and reliability.

Contracts Increasingly Include Supply Chain Security

Because of all this interdependency, companies increasingly demand that suppliers and partners provide actual proof that they maintain an acceptable security posture. The days of simply declaring that you have things under control are quickly fading. Today, responsible companies require at least completion of a very detailed questionnaire specific to their concerns. And frequently, proving your security position means earning an independent, standardized certification such as SOC 2®.

Pushing back against the verification requirements of major companies and government entities may cost you the contract. “You may be providing toilet paper, and someone’s asking you to fill out a cybersecurity questionnaire,” says Pratum Founder and CEO Dave Nelson. “If you don’t, I guarantee there’s someone out there who will do it and take that contract.”

Rather than fighting it, we recommend leaning into the requirements and turning them into a business advantage. Many Pratum clients have leaped ahead of their competitors by staking a position as early adopters of key security standards. In this case study, one marketing company attributes 33% of their current customer portfolio to an advanced security mindset that helps them get more RFPs and win more deals.

New Supply Chain Standards You Should Know About

Much of the discussion in this area has focused recently on the Department of Defense's plan to ramp up security requirements for vendors in its supply chain. More than 300,000 companies will need to self-attest to their security controls or get a third-party assessment at the higher levels of CMMC, depending on the information they access in the course of executing their contract. (This blog provides the latest update on the ever-evolving CMMC situation.)

Evolving breach notification laws also drive much of the urgency around securing supply chains. Under these laws (which vary greatly by state), companies face potentially costly legal requirements to notify customers if hackers access sensitive information held by the company. Some organizations are pushing their suppliers to shore up their security as protection against inadvertent leaks of sensitive information when it travels to other companies.

Risks of an Unsecured Supply Chain

As you consider how to secure your supply chain, consider these potential risks:

  • Upstream and downstream liability – If your security failure creates a problem for someone elsewhere in the supply chain, you may have a legal responsibility to pay for the remediation/damages.
  • Cascading failures – In heavily interconnected ecosystems, one failure may quickly ripple out into other areas. If your ordering system corrupts data, you may lose track of how much raw material you need. If your inventory system fails, your ability to fill orders could fall apart. Mismanaged data and system downtime carry real costs.
  • “Weakest Link” targeting – If you do business with a larger company, hackers may target you as a potential way to get to the bigger target.

How to Identify Your Critical Vendors

A first step in securing your supply chain is identifying your critical vendors (and recognizing when you ARE one for your customers). A critical vendor typically:

  • Has access to data or systems within the company environment – Because you control this environment, you can set requirements for access and training for partners such as onsite contractors or partners using an integrated Enterprise Resource Planning (ERP) system.
  • Uses your data outside your company environment – You need to understand the security of the environment where your engineering docs, customer lists, personally identifiable information, etc. are being used. You need to consider how your data travels through e-mail attachments, cloud storage and other situations.
  • Creates data, systems or components imbedded into products – This relates to partners who handle tasks such as developing software for you or building chipsets.

Planning Your Vendor Management Program

As you begin planning your vendor management approach, consider the following steps:

  • Get familiar with best practices –Review NIST 800-171 standards and read up on NIST’s Cybersecurity Framework.
  • Develop your company’s framework – Design a program for identifying critical vendors and bringing them into compliance with your security standards.
  • Decide how you will verify compliance – To ensure that vendors are meeting your minimum security controls, choose one of the following approaches:
  • – Require vendors to fill out a cybersecurity questionnaire and management attestation of their security posture. .

    – Require third-party attestation audits such as ISO 27001, SOC2 or CMMC.

    – Require external audits by your team or a selected third-party auditor.

  • Engage an experienced consultant – A cybersecurity firm like Pratum can help review your needs and establish a supply chain policy that fits your situation. Contact us today to talk with one of our advisors.
Hands typing email on laptop with padlock overlaid

As a business, you have access to a lot of customer and vendor information. While many companies take this responsibility very seriously, not everyone is doing all they can to ensure security. One way that some businesses fall short is by not encrypting emails on a regular basis, or at all. In this article we’ll explain the importance of encryption, and how you can start securing your emails now.

What is Email Encryption

Email encryption is sort of a disguise for your correspondence with clients and coworkers. Encryption software turns your text, documents, and other data into scrambled code in the eyes of anyone trying to gain unauthorized access. Some describe the encryption process as creating another language. When a third party tries to open the document, all they will see is a jumble of letters, numbers, and symbols.

Encrypting emails ensures the only person who can read your message legibly is the person you intended to receive it. To anyone else who tries to intercept your email it will look like nonsense. Hackers will often try to intercept emails from businesses because they know those can contain very sensitive and valuable information. Without encryption, even the smallest companies are targets for criminals looking to gain information through this method of communication.

Rights management can also protect data within an organization by requiring a single sign on (SSO) account, such as a Microsoft 365 or Google login, to view and reply to emails. This can add a layer of protection by requiring users to have access to that account before having access to sensitive information. While this does include normal web encryption, it does not use typical encryption methods for the messages themselves. Therefore, this technique should be used in addition to traditional email encryption.

However, when used together, businesses can restrict access to sensitive information while also using string encryption to keep emails safe while in transit or while stored. If employees leave the company, businesses can have more confidence that emails can only be read with a valid account.

Risks of Not Encrypting

The dangers of not encrypting emails are numerous. Not only do you put your clients’ information at a higher risk of being leaked, but you also put your own business at risk. If a criminal were to access private information on your client or your company, they may try to use that information for extortion. They could also utilize certain details found to try and access other areas of your company. With the right data, a threat actor can gain access to systems that are configured securely.

Business owners also need to implement encryption when it is required by an agreement with a customer or vendor. Several compliance frameworks such as PCI-DSS and regulations such as HIPAA require the use of encryption. This is essential when the nature of the information requires a higher degree of security. Information such as personal information, bank data, and other private details about an individual can be used to attempt other scamming methods or hacks into private accounts. Even the smallest detail may be the information a criminal would need to figure out a username or password to a secured account.

It’s not just clients you should be considering. Encryption is also advised when handling private information of employees. Documents containing health insurance information or financial records need to be protected. It’s in the best interest of your entire firm to be cautious and secure when handling any private data.

Encrypting all email messages as a default, standard practice makes the task of finding sensitive information more daunting to hackers. Going through a long list of emails, one-by-one, will make the job of finding valuable information more time consuming. This tedious task could be enough to cause some hackers to give up more quickly.

Full Security

Creating a safe environment for your staff and customers means considering all aspects of security. Neglecting cybersecurity can be detrimental to your business. Taking the time to protect all data, especially that which is sent through emails, could be the layer of protection your organization is missing.

If you have any other questions about the cybersecurity of your company, contact the experts at Pratum today.

Multifactor Authentication on laptop and cell phone

Nearly every account online now requires a few extra layers of security. From receiving a code through text message for bank account access, to scanning your retina to log into an app, there are more and more efforts to protect your online accounts. While it may feel excessive to some, these extra steps are important layers of protection designed to help you called Multi-Factor Authentication (MFA).

Definition of Multi-Factor Authentication

Via National Institute of Standards and Technology (NIST):

MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account.

Your credentials fall into any of these three categories:

  • Something you know (like a password or PIN)
  • Something you have (like a smart card, phone or token)
  • Something you are (like your fingerprint)

Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.

Protecting with MFA

MFA is a simple way to boost your business’s cybersecurity strength. While other security programs and software can potentially be bypassed by a threat actor, a solid MFA is more difficult to hack. Not only will the hacker need access to your name and password, they’ll also need information from one of the other categories such as access to your smartphone or your fingerprint.

This sort of protection is especially important when dealing with business networks. Having access to things like client data, employee information, and proprietary documents can be extremely valuable to a hacker. That’s why MFA is essential for protecting your business information. When planning the implementation of Mult-Factor Authentication, each organization should do a Risk Assessment to determine their levels and sources of threats. Once you know where and how someone could infiltrate your system, the better prepared you’ll be to enable security, like MFA, in the proper places. You’ll also be able to see which members of your team need higher levels of security. For example, members of the executive team may need to have a stricter security access process than someone working janitorial services. It’s all about being able to examine the needs of your organization and working from there.

On top of protecting your business information from being stolen, you’re also protecting it from being damaged. Not all threat actors want to steal data. Some malicious attacks are done with the intent of destruction. Using a simple, extra layer of security with MFA can help protect your data from both.

Familiarity with MFA

The great thing about MFA is that most people are already using it! That includes most banks, credit cards companies, Amazon account, college savings accounts, investment and retirement accounts. Your employees have probably been using MFA for a few years now with their personal emails and through other accounts.

Since several large corporations are now requiring MFA, that should make the transition for your company even more seamless. People should already feel comfortable using MFA, since it’s been part of daily life for people using online services. The less confusion when introducing a new security program, the better!

It’s also something clients will recognize when you’re trying to explain the security of your business to help ensure confidence in working with you. When you are able to tell a potential client you have MFA set up within your organization, additional trust will be established.

It’s (Typically) Easy

Just because it works, doesn’t mean it has to be complicated. While much of cybersecurity can appear confusing and overwhelm people, MFA is pretty straightforward. There are even some free applications, like Google Authenticator, to setup MFA on personal devices.

When choosing an MFA program for your business, there are several options designed for organizations of different sizes. To choose the best option for your operation, talk with a cybersecurity consultant to determine what will work best for your needs.

Extra Security is Necessary

While anti-virus and firewalls are important, they’re not always effective alone. MFA can make your existing security measures even stronger. It may take a few extra steps and a little more time, but the benefits of MFA can greatly outweigh the additional work.

First decide where MFA is necessary in your organization, then determine which program is the best fit for your company. Once you have it established, continue to monitor the effectiveness of the MFA program and your cybersecurity as a whole. For more information on how to analyze your security strength and choose an MFA program, contact Pratum!

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.