30 Apr 2021
Cyber Criminals Target “Weakest Link” in the Supply Chain as European Firms Accelerate Digitisation Strategies
Investments, Networking, New Technology or Careers?
By Manoj Bhatt, Head of Cyber Security Advisory and Consulting at Telstra Purple EMEA
As Europe tentatively emerges from the COVID-19 pandemic, it is facing a world that looks very different to how it did a year ago. It is clear that we won’t be returning to the ‘old normal’ but we’re still coming to terms with what the ‘new normal’ looks like. For businesses, the need to operate during the pandemic required digital transformation efforts to be accelerated and innovative new approaches to be swiftly adopted.
To understand this rapidly shifting landscape, Telstra recently commissioned a study by market research firm Vanson Bourne to understand how the pandemic has shaped the strategies of hundreds of businesses across Europe. It found that, on average, firms had invested $2.28 million in digital transformation projects since the start of 2020 and that almost 40 per cent had accelerated digital transformation and innovation projects as a result of the pandemic.
However, the research also revealed a corresponding rise in the cybersecurity threat facing these companies. Nearly two-thirds (65 per cent) of respondents said that the number of cyberattacks at their organisations has increased as a result of the pandemic.
Supply chain threats and vulnerabilities
This growing threat is particularly evident in how businesses interact with their supply chain partners and suppliers. Almost nine in ten (89 per cent) respondents agree that involving members of their supply chain within digital transformation and innovation projects could lead to improved success for their organisation. But at the same time, more than four in ten (45 per cent) respondents have seen an increase in the volume of attacks on supply chains as a result of the pandemic, making it the most commonly cited attack vector, ahead of both phishing attacks (44 per cent) and ransomware attacks (43 per cent).
This supply chain vulnerability came to widespread public attention at the end of last year via the high-profile attack at US software firm SolarWinds. One single piece of malware successfully planted inside SolarWinds’s Orion network management software was able to infect as many as 18,000 organisations and government agencies. Reports suggest that about 30 per cent of the companies affected didn’t even have a direct relationship with SolarWinds – they were just connected to a company that was.
“The sophisticated nature of the SolarWinds supply chain attack shows that adversaries with the time, personnel, imagination, and resources to pursue novel methods of intrusion will succeed,” noted Brett Galloway, CEO at AttackIQ, a cybersecurity firm in the Telstra Ventures portfolio. “Cybersecurity teams need to run a new threat-informed defense play that is proactive rather than reactive because adversaries are getting through too many times.”
The firm has called for organisations in financial services, government, healthcare, tech and manufacturing – the main targets of attacks – to adopt a “zero trust, assume breach” mindset as part of a major rethink in cybersecurity policy under the new US administration.
AttackIQ operates a platform that can be tailored to simulate a range of attacks in a real-world environment. It notes that the average CISO has potentially hundreds of security controls to manage and that these fail constantly. Moreover, when these do fail, either through misconfiguration or operational execution, they fail silently so that these failures are not identified until it is too late. According to AttackIQ, automated and continuous testing of controls is the only way to confidently verify that they are working as expected to protect an organization from breaches and attacks.
New solutions addressing supply chain security weaknesses
The SolarWinds attack reveals an uncomfortable truth: the increased reliance on third-parties and increasing the sharing of data and network access in a digital age has created a lucrative new window of opportunity for cybercriminals.
The traditional methods of assessing third-party vulnerabilities – typically requiring laborious questionnaires to be completed by all parties – have quickly become outdated.
According to Colorado-based CyberGRX, another Telstra Venture portfolio company, third parties spend an average 15,000+ hours completing bespoke assessments each year, while the enterprises ordering the work say they only take action on 8 per cent of those assessments. As these bespoke assessments do not provide a structured and actionable data set – and with an increasing number of third parties to evaluate – the approach does simply not scale.
CyberGRX is one firm leading the charge on modernising the Third-Party Cyber Risk Management (TPCRM) market. It provides a cloud-based platform and standardised cyber risk data set that enables enterprises and third parties to connect and exchange information in an efficient and actionable manner.
“Organisations are increasingly relying on more vendors to remain competitive in the digital economy,” said Nick Swallow, Director of Solutions Architecture, EMEA, at CyberGRX. “Investing in a vendor risk management solution that helps them identify which vendors and risks to focus on, enables quicker deployment of cloud-based tools, analytics platforms and other tools that can transform a business.”
Building security into enterprise culture
At Telstra Purple, we have seen first-hand the increased focus on risk management and cyber resilience in response to the COVID-19 crisis and the SolarWinds attack.
The importance of cyber resilience has quickly moved to number one on the agenda as businesses embraced remote working and rolled out digital transformation policies. What we’ve learnt is that cybersecurity is no longer just a concern for the security or IT department – it is those organisations that already have a strong, ingrained security culture that is business-wide, that will weather the storm best.
Telstra has teamed up with CyberGRX and others to discuss new approaches and solutions to third-party risk assessment in an upcoming webinar hosted by InfoSecurity Magazine.