“Supply chains” are not something that pops up in everyday conversation and “supply chain hacks,” even less so. But beginning in late 2020, supply chain hacks rocketed from cybersecurity footnotes, and relative obscurity, to the front page of the world’s biggest news outlets – and have continued to vex governments, business leaders, and decision makers since then.
An example of a supply chain hack that brought these risks to the fore was when more than 18,000 companies using SolarWinds’ IT management software were affected, including some of the world’s biggest companies like Microsoft, Visa, and Mastercard.
The true cost of the hack still remains to be known. We still do not know if backdoors will exist in some of these networks. The business and financial consequences may last years, or even decades, into the future, depending on how successful the bad actors are in leveraging them.
In Singapore, the country’s largest telco Singtel reported that an aging file transfer system it used was breached. The file transfer vendor had issued a patch meant to protect the system against vulnerabilities but failed to advise its customers that the patch was not effective until after the telco’s files had already been breached.
Then, mere months later, another supply chain hack affected Singapore’s National Trade Union Congress (NTUC). This time, the trade union’s contact centre service vendor was attacked; hackers took contact information from a mailbox where the data was being stored.
Strengthen every link in your cyber security chain
Supply chain hacks may be difficult to understand and apply to day-to-day happenings. But for currently employed Singaporeans, as well as for those who are entering or about to enter the workforce, the implications are clear: in the interconnected digital economy, each decision that you make affects the complex web of your customers.
Monitoring emails for phishing links; only opening attachments from trusted colleagues within your organisation: these tips still hold true at a tactical level, but Singaporeans must shift their thinking at a larger level to keep them, and their business, safe.
Unlike the other cyber risk of the moment, scams, there’s no simple checklist or set of tips by which Singaporeans can increase their vigilance against supply chain hacks. What the recent supply chain hacks in Singapore have shown is that bad actors will leverage whatever tactics it takes, often whittling away at the least-defended or most-forgotten point in a vendor’s portfolio.
As such, there are two central philosophical changes that can help to jumpstart Singaporeans’ readiness against supply chain hacks if they’ve not yet started their preparations.
Bad actors will leverage whatever tactics it takes, often whittling away at the least-defended or most-forgotten point in a vendor’s portfolio.
- Jonathan Tan, Managing Director, Asia, McAfee Enterprise
First, it is absolutely critical to understand that all businesses, no matter the revenue or the size, are a target. From small businesses with a few employees, to the marquee MNCs in the CBD, in the post-supply chain hack threat environment, every business is part of a supply chain, and every business that uses the internet can be leveraged in a supply chain hack.
Thinking that your business’s modest revenues make it less of a target foolishly ignores that your business has customers; your customers have customers of their own. While not all supply chain hacks will approach the level of sophistication of the SolarWinds hack, whereby the breach was passed from customer to customer, the tremendous business and financial consequences of being involved in such a hack should easily tip the scales towards vigilance and preparation.
Second, just as it is prudent to assume that your business is a target, on a much deeper level, it is also strategic to assume that your most critical asset – your data – is always under attack. In our private lives, we’re often desensitised to how vulnerable our data is, and surrender our data for anything from free wi-fi to access to the latest apps.
In reality, data is your business’s most precious asset; when considering the financial ramifications of a hack from fines to remuneration, as well as the customer consequences that may be suffered for losing data, the abstract costs of data can quickly become very real.
Lessons we can learn
While SolarWinds was the first major supply chain attack of its kind at scale, it will definitely not be the last. Countries like Singapore may have escaped the brunt of the attack, but it would be foolhardy to not heed the wake-up call.
Fortunately, Singapore’s government is off to a strong start combatting the risks of supply chain hacks. Following the early fallout of the incident, the government began to enact policies to begin protecting Singapore from future supply chain hacks, starting with Singapore’s critical information infrastructure.
Singapore’s government has also started to discuss Zero Trust, a widely-used philosophy for protecting data that emphasises verifying everything that happens within its systems, to protect most sensitive data. Learning about and applying Zero Trust principles provides an immediate headstart for protecting your company’s data, although Zero Trust must be continually maintained in order to be effective.
Companies across Singapore and APAC will also have to do more to secure themselves and their customers. Supply chain hacks mark a seismic shift in the cybersecurity landscape and demands a radical shift in the way we consider defence against malicious actors, starting with a mindset shift from complacency to being ever ready.
Jonathan Tan is Managing Director, Asia, McAfee Enterprise