Following the Marks & Spencer cyber-attack, which reportedly stemmed from social engineering tactics via a third-party supplier, it’s more critical than ever for businesses to bolster their defences against these sophisticated threats. As a UK business ISP, we want to provide our contacts with actionable advice to protect their organisations.

Here are measures to consider:

Selecting Third Party Suppliers

Prioritise Suppliers with ISO 27001 Certification:

Why it helps: ISO 27001 demonstrates a supplier has a robust Information Security Management System (ISMS) in place. This includes processes for risk assessment, controls for data protection, and a commitment to continuous improvement. It provides a level of assurance that the supplier takes information security seriously and has verifiable practices.

Beyond Certification: While ISO 27001 is a strong indicator, it shouldn’t be the only criteria. It’s a foundational element, here are other considerations when selecting suppliers:

• Due diligence: Before engaging with any third-party supplier, conduct thorough security assessments. This involves not just certifications but also reviewing their security policies and incident response plans.
• Continuous monitoring: Security is not a one-off assessment. Implement ongoing monitoring of third-party suppliers’ security posture. This could involve regular security questionnaires, vulnerability scans, and security performance reviews.
• Supply chain mapping: Understand your entire supply chain, including “fourth parties” (subcontractors of your subcontractors), as vulnerabilities can spread.

Regular employee training and testing:

Why it helps: The human element is often the weakest link in social engineering attacks. Regular training helps employees recognise phishing emails, vishing calls, and other social engineering tactics.

Further action:

• Simulated campaigns: Regularly conduct realistic phishing simulations to test employee vigilance and identify areas for further training. Provide immediate feedback and remedial training for those who fall for the simulations.
• Targeted training: Train staff on common social engineering tactics, such as urgency, authority impersonation, curiosity, and reciprocity, and how these are used in emails, phone calls, and even in-person scenarios.
• Create a reporting culture: Emphasise the importance of reporting suspicious activity, even if they’re unsure. A “see something, say something” culture is vital.

Implement policies to reduce chances of social engineering:

Why it helps: Clear policies guide employees on how they should handle suspicious requests, verify identities, and manage sensitive information.

Policy examples:

• Verification Protocols: Implement strict protocols for verifying requests for sensitive information or changes (e.g., bank details, access privileges), especially if they come via email or phone. This should always involve an additional verification, such as calling the known, official number of the person or company.
• Least Privilege Access: Ensure third-party suppliers and employees only have access to the data and systems absolutely necessary for their job roles. This minimises the potential damage if one of their accounts is compromised.
• Data Minimisation: Only share the absolute minimum necessary data with any employee or contact. The less sensitive data they hold, the lower the risk in case of a breach at their end.

Multi-Factor Authentication (MFA) everywhere:

Why it helps: MFA adds a crucial layer of security, making it much harder for attackers to gain access even if they manage to steal login credentials through social engineering. It should be mandatory for all accounts, especially those with access to sensitive systems or data, and for any third-party access to your systems.

Network segmentation:

Why it helps: Segmenting your network means that even if a social engineering attack compromises a specific system (e.g., through a third-party’s access), the attackers are confined to that segment, preventing them from easily moving laterally across your entire network.

Incident response planning (including Third Parties):

Why it helps: Having a well-defined and tested incident response plan is critical. This plan should specifically address scenarios involving third-party breaches.

Plans could include:

• Communication protocols: Establish clear communication channels and protocols with third-party suppliers for incident notification and coordination.
• Containment and recovery: Outline steps for containing a breach originating from a third party and recovering affected systems and data.
• Regular drills: Conduct exercises and simulations that include third-party breach scenarios to ensure all parties understand their roles and responsibilities.

Threat intelligence sharing:

Why it helps: Encourage your contacts to participate in industry threat intelligence sharing groups (if appropriate and available) to stay informed about emerging social engineering tactics and known threat actors.

By implementing and consistently reviewing these measures, UK businesses can help reduce their vulnerability to social engineering attacks, especially those originating from their extended supply chain. And most importantly, it’s about building a culture of security awareness and resilience, from your own staff to your most trusted partners.

Further reading:

What does ISO27001 mean for Beaming?

Read the latest Cyber Threat Report