Rather than entrust third-party suppliers to keep their supply chain secured, organisations should adopt a zero trust security strategy and establish basic cyber hygiene to safeguard their data.
Adopting a zero trust security strategy can better safeguard organisations against third-party attacks, where suppliers should not simply be entrusted to do the right thing. In this second piece of a two-part feature, ZDNet looks at how businesses in Asia-Pacific can establish basic cyber hygiene as well as better data management to combat attacks from across their supply chain. There had been a spate of third-party cybersecurity attacks since the start of the year, with several businesses in Singapore and across Asia impacted by the rippling effects of such breaches. Just last month, personal details of 30,000 individuals in Singapore might have been illegally accessed following a breach that targeted a third-party vendor of job-matching organisation, Employment and Employability Institute (e2i). Earlier this year, personal data of 580,000 Singapore Airlines (SIA) frequent flyers as well as 129,000 Singtel customers also were compromised through third-party security breaches. Acronis CEO Serguei Beloussov believed third-party attacks such as those involving Accellion and SIA could have been prevented with a zero trust architecture. He dismissed suggestions that supply chain attacks could be mitigated through a network of trusted suppliers. Noting that few of them imposed strict access, Beloussov said every supplier had employees and it took just one „untrusted“ source to breach a network. Humans made mistakes and this had always been the primary challenge, he said, noting that employees would forget to follow procedures or circumvented these to make their job easier. „Zero trust isn’t just about not trusting [anyone], it’s about personal [cyber] hygiene,“ said Beloussov, who likened it to not sharing toothbrushes even with one’s spouse. „Unless you have some proper measures [in place], you’ll be more often sick if you shared toothbrush.“ Security policies also should be implemented, and adhered to, with regards to how supply chains were protected, he said. Regular checks as well as vulnerability assessment and penetration testing should be carried out, he noted, stressing the need to monitor and control all suppliers. Acronis‘ chief information security officer (CISO) Kevin Reed said organisations needed to know who and what were accessing their data. This meant they would have to consistently assess their partners‘ trust level, and not just at the start of their business relationship when a new contract was inked, he said. „Three months after [the beginning of the partnership], they might suffer an attack and their trust level would decrease, but if you only evaluated at the start, you would not be able to catch this,“ Reed said. „With zero trust, you need to re-evaluate all the time and preferably in real-time. This should apply to anything that touches your data.“ Check Point’s research head Lotem Finkelstein added that security should always be a criterion against which products and suppliers were evaluated. Questions should be asked about security measures they had put in place and whether connections with these suppliers were secured, to limit the risks of engaging with them, Finkelstein said. Reed noted that prevention would play a key role. With the majority of security attacks today opportunistic, he said this meant that organisations would be able to thwart most attempts if they adopted preventive measures to decrease their probability of getting breached.
