Answer: You are describing a supply chain attack—a cyberattack that impacts not your organization specifically, but one of your suppliers, thus disrupting your operations or, in this case, exposing your company to further attack.

This type of cyberattack is becoming more common as criminals realize that they can breach organizations en masse by attacking service providers who have some level of access to many companies’ systems. The most publicized recent supply chain attack was the SolarWinds attack in December 2020. In that case, SolarWinds was responsible for pushing updates to their clients’ systems. The attacker gained access to SolarWinds’ systems and published fraudulent updates that installed malware on many of SolarWinds’ customers’ networks. Even though those end-user customers were not directly breached, the attack on their service provider ended up exposing them to risk and attack.

These are complicated situations, especially among small businesses, because third-party vendors are more common than in-house services in those environments.

So, how do you determine if you have risk associated with a vendor or some other party in your digital supply chain?

Ask! If you’ve ever applied for cyber risk insurance or undergone an audit where your computer systems were evaluated, you were likely given a questionnaire regarding your company’s digital security and processes. Make a copy of one of those audits, or download one of the many freely available templates online. Ask your key vendors to complete them. Work with your in-house or contracted IT provider to evaluate responses, and refresh that audit with vendors once a year or so to assess the risks.

What steps should you take to prevent this kind of breach?

Grant access to your systems only when actually needed. Especially with third-party IT support, external vendors are often given unrestricted 24/7 remote access to your systems. While this can be helpful if something goes down in the middle of the night, it also creates opportunities for your systems to be attacked. If you can, limit access to your systems to an as-needed basis, and use permitted-hours settings on your servers or firewalls to determine when external vendors are allowed to access your systems, and from where. The middle of the night, weekends and especially holidays are prime times for attackers to try and breach systems.

Purchase and install endpoint-detection-and-response (EDR) software or systems. EDR can be thought of as anti-virus software plus-plus. It combines the features of old-style anti-virus with proactive threat detection, network monitoring, update verification, and plenty of other features that not only block known threats but can use behavioral data to spot and block “fishy” activity that is out of the norm for your company. EDR will often detect and block threats coming from a theoretically trusted source, like a key vendor. EDR software is also not as expensive as many people believe, as you can obtain high-quality EDR for as little as $45 to $60 per device, per year. Of course, more expensive options do exist, but even a reasonably priced small business solution will provide a great deal of protection from unexpected threats.

Finally, enable and enforce two-factor or multi-factor authentication on all of your systems. Most attacks are related to credential-stealing, where a vendor’s credentials are used to illicitly access your systems. By enforcing multi-factor authentication, you remove the username and password as the sole barriers to entry and require that they possess some physical object like a security key or smartphone to complete the login process.

This article is provided by Enquiron, which offers Association members cybersecurity resources at no cost. Learn more about the benefit at .

Answer: The United States is behind other countries in clarifying companies’ responsibilities in the wake of a cyber security breach. There are only agency-by-agency, or state-by-state requirements. Consult your IT provider, insurance company and/or legal counsel to determine which requirements apply to you.

We recommend, however, that companies report the nature and scope of cyber security breaches to law enforcement agencies and the companies and individuals potentially impacted.

The FTC has published a “Data Breach Response Guide for Businesses,” which can be found at . Among suggestions in the guide:

• Determine your legal requirements by state or applicable federal regulations;
• Notify law enforcement;
• Notify affected businesses, including financial institutions, if applicable;
• If social security numbers have been involved, contact the three major credit bureaus (Equifax, Experian, Transunion) to obtain additional information and advice;
• Notify individuals, based on the circumstances of the breach and your requirements under No. 1.

The guide includes a letter template that can be used for drafting such notifications.

All 50 U.S. states have enacted some form of legislation requiring government and/or private entities to notify individuals when a breach of Personally Identifiable Information (PII) has occurred. Unfortunately, there is no consistent definition of what constitutes PII. Some states define this information to be solely “critical PII,” such as social security numbers, drivers’ license numbers, or bank account numbers. Other states define PII more broadly to include date of birth, address, or in at least the case of California, information as broad as a name and zip code.

Further, states currently do not agree on the definition of what constitutes a breach, nor on the timing for how soon after a breach is discovered that individuals must be notified, nor on what exemptions might exist, such as an exemption if the only information taken was encrypted.

Companies with customers in several states can be subject to a patchwork of different regulations. It is considered best practice to comply with the most-restrictive regulations your company could be subject to, which in the U.S. are the guidelines in California or Illinois (depending on the nature of the data disclosed).

Given the attention being paid to this issue at all levels of government, it seems likely that the U.S. will soon have a comprehensive set of cybersecurity regulations and disclosure requirements.

Until then, what should companies do in response to a breach?

First, recognize that cybersecurity is one of the few areas where the victim of a crime can become subject to legal jeopardy as a result of their victimization. While this may seem unfair, in this case, companies are acting as custodians of their customers’ personal information. Even though the company is itself a victim of cybercrime, it has a responsibility to protect its customers from further harm.

In the jurisdictions where they exist, these cyber response laws are not optional! Failing to prepare or fulfill your responsibilities under these laws can subject a company to penalties worse than the fallout from the actual breach.

Companies must develop an incident response plan and train staff on a breach response. Following best-practices and notification rules leads to the best outcomes. Companies, individuals, and enforcement agencies respond more favorably to incidents that were well-handled and well-communicated.

The Association has partnered with Enquiron, which provided this article, to offer members the Shortline Cyber Resource Center. This no-cost resource provides access to information, training and tools to help companies prevent a cyberattack and respond effectively if they fall victim, including help in creating an incident response plan. If you haven’t yet activated your member benefit, go to . Click on “forgot password” to follow the prompts to create a login. Call the Association office with questions at (314) 878-2304. Or, contact Enquiron at (877) 568-6655; press one for assistance.

But what is multifactor authentication, and what do you need to know about it if you’re considering it for your business? Especially if your organization has more limited resources or budget and must be strategic about investing in security solutions?

What is multifactor authentication?

Multifactor authentication, or MFA, was developed to add security checks to the login process. Before being granted access to something, the user is required to submit additional information to verify their identity. By creating more login proof points, you can better prove that someone is who they say they are, while making it much harder for someone else to break through your defenses.

Multifactor authentication protects an account with:

• Something you know: A “knowledge factor” like a password.
• Something you have: A “possession factor” like a phone or security key.
• Something you are: An “inherence factor” like biometrics.

Even if a password is stolen, attackers won’t be able to access an account without all required factors.

Wait, is two-factor authentication the same as MFA?

Two-factor authentication, or 2FA, is a form of MFA. Many people are familiar with 2FA because there are now several popular consumer 2FA apps like Google Authenticator and LastPass Authenticator that integrate with personal services like email, banking, social media, and cryptocurrency. However, 2FA and MFA are not the same.

2FA combines two distinct factors: your password (knowledge) and a code generated by an app on a smartphone (possession) or a fingerprint swipe (inherence).

MFA, on the other hand, goes beyond two factors to three or more, like a password, a push notification to a trusted device, and a fingerprint swipe. The best MFA solution offers adaptive authentication that leverages a combination of biometric and contextual factors. An all-in-one solution increases overall security while decreasing the friction of the login experience.

2FA is a great starting point, but a one-size-fits-all authentication approach does not work when users have different behaviors, personal devices, levels of access and attributes.

True MFA is the strongest option, because the ability to leverage more factors and adapt requirements to different scenarios to prove someone’s identity means a smoother authentication experience and significantly reduced risk of successful attacks.

What types of multifactor authentication are out there?

Multifactor authentication comes in many forms. The technology has been around for more than a decade, and there are more options to choose from than ever. The rise in personal smartphones and the advancement of mobile technologies (such as the camera and specialized sensors) have had an especially big impact on MFA options. Common methods include:

• SMS text and voice codes
• Hardware tokens
• Software tokens
• Push notifications
• Biometrics
• Adaptive

Each of these methods has its pros and cons, whether due to usability, cost, or comparative security.

The best authentication platform gives you the ability to choose more than one MFA method, so you can invest in one comprehensive solution while adapting to your business’ unique use cases.

Source: Enquiron

The Association has partnered with Enquiron to provide the Shortline Cyber Resource Center at no charge to members. This resource provides easy access to information, training and tools to help companies prevent a cyberattack and respond effectively if they fall victim.

Learn more about the resource in this Nov. 13 Shortliner story If you are ready to activate your member benefit but cannot find the original email from Enquiron, go to . Click on “forgot password” to follow the prompts to create a login. As always, feel free to call the Association office with questions at (314) 878-2304. You also can contact Enquiron directly at (877) 568-6655; press one for immediate assistance.