A monthly Information Security publication for the WPI community.
This month let's focus on COMPROMISED VENDORS. It's when an organization's vendors or business partners are attacked in a way that exposes their customers' sensitive data. This may also be referred to as a third-party data breach. This graphic shows one scenario.
How to Prevent Third-Party Vendor Data Breaches (RiskOptics)
Industry experts estimate that about 60 percent of all data breaches happen via third-party vendors.
In this issue:
- Compromised Vendors
- Business Email Compromise (BEC)
- Vendor Security at WPI
- Massachusetts Cybersecurity Crime Statistics
- Learning with Laughter
- Where to Find Information Security?
- Meet an Information Security Student Worker!
- Featured Videos
- Compromised Vendors in the News
- Diversity in Cybersecurity
- Coming Next Month...
Meet an Information Security Student Worker!
At a former workplace of mine, a scammer impersonated the email address of one of our business partners. They sent a deceptive email requesting a payment to be transferred to an out-of-state bank account. Thankfully, the recipient bank detected the unusual activity—a substantial payment being sent to a newly established account—and placed a hold on the funds. Due to the bank's proactive measures, we managed to retrieve our funds.
Vendors who have a large number of customers are an attractive target for cybercriminals. If they can successfully impersonate a vendor, then they can persuade multiple organizations to pay them or provide sensitive information.
Black Kite’s annual Third-Party Breach Report examines the impact of third-party cyber breaches, which doubled in 2022.Black Kite’s Report (securitymagazine.com)What is vendor email compromise (VEC)? by Cloudflare
Business Email Compromise (BEC)
Business Email Compromise (BEC) is a type of invoice scam, which was mentioned in last September's SECURE IT Examples of Social Engineering.
Given that over $72 million dollars was lost in Massachusetts in 2022 due to BEC, make sure you address communications from your suppliers at times when you can give them your undivided attention. Does something seem off? Compare the current communication to previous ones. If you think it's a Business Email Compromise scheme, then contact email@example.com.Business Email Compromise (Hub article)Phishing Explained (Hub article)
Vendor Security at WPI
Processes in Procurement and Information Security, and diligence by all community members helps protect WPI!
Direct Supplier inquiries requesting to do business with WPI are reviewed by the Procurement team. Laurie Collela, Director of Procurement and Payables, explains:
"Procurement reviews new supplier requests by the community and their accompanying documentation. There is a list of preferred suppliers available on the Procurement website. The details for each supplier and their relationship with WPI is updated and managed by Procurement. All new suppliers that are created in Workday automatically run through the Sanctioned Supplier Screening, which will create a Workday inbox item for the Procurement team to review potential matches, or simply approve if there are no matches found. A sanctions list is a compilation of individuals, companies, or countries that are restricted or penalized by governments or international bodies. There are different types of sanctions, such as economic sanctions, international sanctions, embargo, and diplomatic sanctions."
In addition, this year Workday implemented an integration to screen suppliers against the Office of the Inspector General’s List of Excluded Individuals/Entities from U.S. federally funded health programs, for reasons such as Medicare or Medicaid fraud. When setup in Workday the results are reviewed in tandem with the Sanction screening on new suppliers.
Our Data Governance and Management model includes Information Security Review of any new technologies being considered for purchase or implementation at WPI. Details about the review and a link to the Project Intake Form where it all begins are at:Information Security Review (WPI Hub sign-in required)
Access to systems and data is vetted; vendors requiring access have their own accounts which require multi-factor authentication.
Security also depends upon community members carefully inspecting invoices, reviewing PCard purchases, and handling WPI data securely. As a WPI partner to vendors and system representatives, you may be alerted if they experience a security breach. If you are notified of an external cybersecurity issue, please immediately forward details to WPI's Chief Information Security Officer at CISO@WPI.edu.Information Security Breach Notifications
Cybersecurity Crimes in Massachusetts in 2022
This is a small excerpt of the statistics from the FBI's Internet Crime Complaint Center (IC3) Annual Reports for Massachusetts.
|# of Victims
|Business Email Compromise (BEC)
People over 60 accounted for about 26% of the cybercrime victims in Massachusetts, while those under 20 were about 4% of the victims. The other 70% were working age people between ages 20 - 59. A significant number of people at WPI are in that age range.2022 FBI State Report for MassachusettsFBI Internet Crime Complaint Center (IC3) Annual Reports
Learning with Laughter
Where to Find Information Security?
This month Information Security partners with Procurement to offer a webinar about vendor security. Join us Thursday, 1/25 from 2:00pm - 2:45pm.Recording of Compromised Vendor Webinar (40 min)
Meet an Information Security Student Worker!
Justin Healey is a junior in the BS/MS Computer Science program with an MS in Cybersecurity. He has been part of Information Security for about 6 months. He typically takes on triaging alerts and investigating events.
"Working with the InfoSec team has been an amazing experience. It's been awesome to see the real world applications of what I learn in school, and to be able to be part of a team with such great, smart people. So far, the most interesting thing I've learned is to ask lots of questions, even when you're not sure if anyone knows the answer. There are no wrong questions, and sometimes asking the right question can help others find a solution."
IT is very fortunate to have Justin on our team!
These brief videos discuss the major breach Target faced in 2013. The key points of this breach are still relevant to how organizations get compromised today.Hacking Timeline: What Did Target Know and When? (2 min)Cyber Attack Explained: Target (4 min)
Compromised Vendors in the News
MOVEit is a secure managed file transfer software. When MOVEit was attacked, one of their clients, the National Student Clearinghouse, had some of their data stolen, which in turn compromised some of the universities that use the NSC.MOVEit hack spawned over 600 breaches (Reuters, Aug 2023)National Student Clearinghouse AlertUniversity of Dayton MOVEit Breach
Health Care Data Breach Caused by MOVEit Breach (December 2023)
Diversity in Cybersecurity
Keatron Evans, VP Of Portfolio And Product StrategyKeatron Evans
Coming Next Month...
Best Security Practices for Financial Aid and Taxes
Is there a cybersecurity topic that you would like to know more about? Please contact WPI Information Security using Get Support below.