While cyber supply chain attack is not a new trend — the spate of data breaches involving global third-party service providers, and magnitude of these incidents’ — impact have propelled it into the global spotlight.
It is estimated that 40% of cybersecurity attacks originate from organisations’ extended supply chain. The situation is likely to continue or even aggravate as organisations’ cyber supply chain ecosystems grow in size and complexity.
Digital service providers in threat actors’ crosshair
Our recent study on Singapore’s Threat Landscape shows that the high technology industry — which includes cloud, data centre, and web hosting service providers — is already the top target for threat actors. This trend is likely to continue as threat actors can achieve economies of scale when targeting technology companies, especially in the wake of COVID-19.
Organisations are now increasingly reliant on technology service providers as they ramp up on cloud adoption and migration and deploy more remote work and collaboration tools during the pandemic. Suppose threat actors successfully breach and infiltrate these service providers, in the form of a “watering hole” attack. This will allow them to steal sensitive data, including personally identifiable information (PII) and intellectual property (IP), of multiple organisations who are using their platforms or services.
Moreover, many organisations had to diversify their cyber supply chains to meet evolving business demands and build resiliency during COVID-19. Consequently, we will see threat actors launching more frequent and sophisticated attacks on their targets’ extended network of partners, suppliers, and vendors that provide digital services to business.
5G technology supply chain at risk
Asia Pacific is the largest region for 5G adoption, and according to GSMA, an estimatedUS$331billion will be invested in 5G deployments between 2020 – 2025. While the acceleration of 5G network and pilot deployments will spur its supply chain’s rapid growth, it will also make its supply chain an attractive target and lucrative attack vector for threat actors.
Cybersecurity vulnerabilities and malware-laced software can be introduced anywhere in 5G’s complex supply chain ecosystem, from network operators to companies developing 5G applications and hardware. If left undetected, a large number of organisations across Asia Pacific might unwittingly undermine their IT environment and database when the compromised software or components are rolled out and adopted at scale.
Organisations under-prepared in facing these threats
While the impact and scale of attacks on cyber supply chains cannot be underestimated, many organisations are under-prepared in safeguarding themselves and their customers from these threats.
We did an analysis on more than a dozen companies across a range of industries in 2020, many of these organisations were unaware of leaked third-party user credentials related to their corporate accounts. Additionally, some of them did not even have appropriate plans to address such leaks.
We also found a lack of enforcement and visibility of risks between the organisations and their suppliers when we investigated their key suppliers’ threat exposure in the cyber supply chains. This exemplified a lack of understanding of the digital attack surface and risk exposure that organisations faced. The findings highlighted that many organisations have a more myopic view when it comes to cybersecurity, focusing more on what was occurring within the organisation rather than external risks and threats.
Extending cybersecurity practices to organisations’ supply chain ecosystem
Organisations need to recognise that their cyber supply chain network is becoming more integrated with their business operations and it can contribute to their cyber risk exposure. As such, organisations will need to extend their cybersecurity practices to their ecosystem of partners, suppliers, and vendors.
An essential discipline is maintaining an inventory of key suppliers that vital business activities depend on in the cyber supply chain and then establishing an assessment and enforcement regime on the suppliers to sustain an acceptable risk position. Organisations should also extend the cybersecurity monitoring across the technology services and information exchange pathways between the organisations and third-party companies. This way, responses can be readily carried out when a threat or incident is detected.
Organisations should conduct regular cybersecurity audits on the key service providers and suppliers and enforce cybersecurity practices on their supply chain partners to mitigate vulnerabilities in a fixed timeframe. Organisations should also establish an incident response playbook to address personal data breaches, whether within the organisation itself or in response to a supplier’s cyber breach.
Mitigating cyberattacks on supply chain requires industry-wide effort
While organisations’ individual endeavour is undoubtedly important, tackling the trend of cyber supply chain attack requires industry-wide vigilance and for every company to act. In Singapore, the Monetary Authority of Singapore (MAS) has recently enhanced its Technology Risk Management Guidelines which set clear expectations for financial institutions to implement strong supervision and management of third-party service providers to mitigate the risks of cyber supply chain attacks.
The Singapore government is also planning to roll out the SG Cyber Safe Trustmark programme this year, allowing companies to demonstrate that they have met specific, pre-determined cybersecurity standards. Additionally, the implementation of the Cybersecurity Labelling Scheme (CLS) for IoT devices by the Cyber Security Agency of Singapore also aims to address cybersecurity assurance at the product level.
These initiatives enable organisations and consumers to select products and vendors with the requisite cybersecurity assurance levels to meet their needs. These programmes will allow organisations with a strong cyber defence and cybersecurity culture to demonstrate a clear competitive advantage over their peers and position them more strongly in the digital economy.
In the long run, these initiatives will help organisations appreciate the business value of cybersecurity and incentivise them to strengthen their cybersecurity posture, creating a more secure and resilient cyber supply chain ecosystem across all industries.
Xiang Zheng Teo is the Head of Advisory, Consulting, Ensign InfoSecurity