Security Becomes a Digital Supply Chain Blindspot

Image credit: iStockphoto/BrianAJackson

A cyberattack in Australia last week underlined the increasing importance of the digital supply chain.

For some organizations, there are supply issues around computer chips. Many are looking at the ethics of the companies in their supply chain as they seek to meet ESG benchmarks. Others are re-evaluating the feasibility of the ‘just in time’ supply chain in light of the pandemic.

For those planning their IT infrastructure in the State Government of South Australia, the risks of the digital supply chain were made clear when it emerged last week that as many as 80,000 public sector employees had their personal details stolen after a cyberattack on an external payroll provider.

Frontier Software provides payroll services to the Government, and the company confirmed that significant personal information had been stolen. It could also include details about the State’s Premier Steven Marshall, effectively the chief executive officer of nearly two million people.

The accessed data includes tax file numbers, bank account details, dates of birth, payroll information, and pension contributions.

Employees have been told to contact their financial institutions and closely monitor their statements for unusual transactions. And the Government has engaged a cybersecurity support service IDCARE to develop a response plan.

Frontier provides payroll services to the South Australian government for 20 years, so it is a trusted provider. Yet, in a single stroke, it compromised as many as 80,000 people whose information is potentially being accessed on the dark web.

Digital supply chain

“It is not enough for organizations to just focus on their security infrastructure; they must understand and have confidence in the security of their entire supply chain,” says Aaron Bugal, global solutions engineer at Sophos.

“Attackers are increasingly using an organization’s supply chain partners to gain access to confidential and sensitive information, particularly if they identify a weak link. It is imperative organizations are working closely with their supply chains to understand the security of businesses they collaborate with and work together to address vulnerabilities.”

The South Australian example is hardly unusual. Supply chain cyberattacks are expected to quadruple in 2021 compared with the previous year, according to the European Union Agency for Cybersecurity (ENISA).

 “Attackers are increasingly using an organization’s supply chain partners to gain access to confidential and sensitive information”

An attack on U.S. software firm Kaseya in July 2021 affected up to 1,500 businesses across the globe. In Sweden alone, almost 500 supermarkets were forced to close when their checkouts stopped working due to the attack.

The hackers who claimed responsibility for the Kaseya breach demanded USD70 million to restore all affected businesses’ data.

At Datto, senior channel manager Shaun Witherden points out the risks inherent in reliance on SaaS providers and the importance of their security posture on customers.

“It can and will have direct impacts on their customers when they suffer outages due to cyber incidents,” says Witherden.

“By adopting a shared responsibility model, SaaS providers can enable business continuity while ensuring compliance and meeting security requirements.”

Risks in the SaaS model

It is a given that businesses are engaging with digital providers through the dominant SaaS model, which makes security even more of a priority.

Beyond the identity theft and privacy issues that hit South Australia, there are security issues around access management, data retention, regulatory compliance, and disaster recovery, to name a few.

End-user training, policies and standards, and a SaaS security checklist are among the measures that can be taken. But there also needs to be a clear understanding of where the responsibility lies, which can be murky in the cloud era.

Can a single point of access in the cloud expose the confidential information of multiple customers? The answer to this is most likely yes.

As a customer, do you have control over the location of where your data is stored? Is encryption available in all stages of the storage?

There is no one answer to the security issue, but in choosing vendors, it comes down to a rigorous risk assessment process and a commitment from the customer organization that they too will have a security posture and ensure that their people are continually educated and alert to security issues.

Steps can be taken around identity access management with multi-factor authentication. While it might be tedious for users, it can save the company at the end of the day.

Then, if in doubt, engage another vendor as a security consultant to audit the digital supply chain and identify weak points.

Gartner analysts advocate cloud access security brokers (CASBs), who act as a single control point for policy and monitor behavior and risk across an entire SaaS stack.

Meanwhile, in South Australia, the hackers have demanded a ransom payment in return for the payroll information they stole.

The Australian Signals Directorate, which defends Australia from global threats, is on the case, and it appears the hacks came from Russia.

The South Australian capital Adelaide is a long way from Russia, where no one has heard of state Premier Steven Marshall, but in 2021 that is irrelevant.

We are all increasingly connected in the digital ecosystem, and once you enter into it, there is ultimately no place to hide.

Lachlan Colquhoun is the Australia and New Zealand correspondent for CDOTrends and DigitalWorkforceTrends, and the editor of NextGen Connectivity. His fascination is with how businesses are reinventing themselves through digital technology and collaborating with others to become completely new organizations. You can reach him at [email protected].

Image credit: iStockphoto/BrianAJackson