The latest IBM Data Breach Report revealed that an alarming 83% of organizations experienced more than one data breach during 2022. According to the 2022 Verizon Data Breach Investigations Report, the total number of ransomware attacks surged by 13%, which is a rise equal to the last five years combined.Harvard Business Review
With cyber risks skyrocketing at an alarming state, Harvard Business Review notes cyber attacks not only sink an organisation’s stock price but also cause a ripple effect in the whole supply chain, consuming company resources and limiting the ability to maintain its market. Although the short-term impacts of cyber attacks are already serious, their effects are also detrimental to companies in the long term.
Is there anything different or unusual about the attacks on various trusted and known brands recently?
Tim Choi: Recent attacks on trusted brands like EY, PwC, and Zellis involved cybercriminals exploiting zero-day vulnerabilities—previously undiscovered bugs without an immediate fix. What set these attacks apart was the subsequent targeting of clients, vendors, and suppliers through supply chain vulnerabilities.
"Last year, 68% of Singaporean organisations that faced cyber attacks attributed them to supply chain attacks. Attackers are increasingly leveraging supply chain vulnerabilities, and once they gain a foothold in an organisation or network, they can gather data that will likely later be used for extortion or ransomware attacks, as reflected in the recent attacks."Tim Choi
The recent attacks against EY, PwC and Zellis exploit zero day vulnerabilities. Should security vendors and service providers be held liable for the continued existence of zero day vulnerabilities?
Tim Choi: Security vendors and service providers have the responsibility to adopt industry best practices for developing products that are secure by design and have safe default configurations. They should also proactively identify vulnerabilities in their code through internal audits and bug bounty programs, and design their security patches for quick and easy adoption.
However, organisations that purchase software or services from these vendors also have a part to play – by making third-party risk assessments a central part of their procurement process and assessing the track record of vendors to respond promptly to vulnerability reports.
What are standard cybersecurity measures that all organisations should have?
Tim Choi: Apart from conducting due diligence on vendors to mitigate supply chain attacks, organisations should adopt a people-centric approach to defend against future threats. This involves breaking the attack chain by safeguarding identities and data to hinder lateral movement by threat actors within the organisation.
Conducting cybersecurity awareness training is vital to involve employees in cyber defence. Additionally, organisations should invest in a robust email fraud defence solution that utilises the latest technologies in machine learning and artificial intelligence to detect attacks, and partner with a threat intelligence vendor to leverage a solution that combines static and dynamic techniques to detect new attack tools, tactics and targets.
What are proven approaches to mitigate the risks of successful supply chain attacks?
Tim Choi: Government agencies should identify and prioritise software solutions that have the widest deployments and technologies that support critical infrastructure. Software vendors and companies also have a part to play – they need to adopt industry best practices for developing products that are secure by design and be proactive about identifying vulnerabilities in their code.
Companies that purchase software need to do their due diligence as well by making third-party risk assessments a central part of their procurement process. They should also invest in security around collaboration tools like Microsoft 365 and Google Workspace that have increasingly become targets for threat actors.
Given that CISOs and CIOs have acknowledged the difficulty in hiring/retaining the right talent in their cybersecurity teams, what options do they have?
Tim Choi: Our survey of global Chief Information Security Officers (CISOs) reveals that almost two-thirds believe they are at risk of suffering a material cyber attack within the next 12 months. Talent is needed to develop solutions that enable organisations to stay ahead of cybercriminals. However, demand far outpaces the available workforce.
Both the private sector and government need to invest in education and training – this could involve developing internship programs and establishing partnerships with educational institutions. This would give young talent early exposure and motivation to the industry. The industry also needs to embrace diversity and aim recruitment at women and minorities, who are too often overlooked.
Can and should they put their trust in security vendors/managed security service providers?
Tim Choi: When evaluating a security vendor, organisations must consider more than just the technology offered. They need to choose a provider who offers exceptional ongoing support, not just from the offset. Organisations should also seek companies with a strong track record of investing in research and development and innovating their solutions because attackers are constantly developing their tactics, techniques, and procedures (TTPs).
Finally, companies should ensure their vendor can provide adequate security awareness training for employees as the human factor continues to remain a critical aspect of a well-rounded security provider – everyone has a role to play in cybersecurity.