Cybersecurity – a collective responsibility and business enabler

There is no doubt COVID-19 has exponentially increased the speed and magnitude of digital adoption. Globally, six in ten c-suite executives said that their  organisations had accelerated their digital transformation due to the pandemic. 

Indeed, over the last few months, we have seen the accelerated digitalisation of enterprises and deployment of remote working initiatives that should have taken many months or even years to implement. We have also seen a dramatic increase in the rollout of new digital services—ranging from e-commerce platforms to virtual customer experience solutions—as enterprises fight to stay relevant in today’s contactless economy. 

However, the massive transformation has not only rapidly expanded digital attack surfaces and introduced new vulnerabilities; it has spurred threat actors to double down on exploiting the situation. 

The Supply Chain is the New Cyber Battlefront

While supply chain cyberattacks are not new, we are seeing increasing waves of cyberattacks aimed at the cyber supply chains of their targets. Threat actors are constantly seeking the easiest ways to circumvent cyber defences. While large enterprises typically have robust cybersecurity measures in place, some of their suppliers or partners might not be as well-protected, and can be an easy point-of-entry for attackers. As enterprises continue to transform, expand and diversify their supply chains to make them more resilient, their digital attack surfaces become more exposed, increasing their risks of getting breached. 

Enterprises today are increasingly reliant on technology service providers now as they ramp up cloud adoption and migration, as well as deploy more remote work and collaboration tools. If threat actors can successfully breach and infiltrate one of these service providers, they can steal sensitive data, including personally identifiable information (PII) and intellectual properties (IPs), of multiple organisations who are using their platforms or services.  

A NEWSLETTER FOR YOU

Friday, 8.30 am

Asean Business

Business insights centering on South-east Asia's fast-growing economies.

Sign Up

According to Ensign’s Singapore Threat Landscape 2019 report, the high technology industry—which includes cloud, data centre, and web hosting service providers that serve many other enterprises—is already the top target for threat actors. The trend of it being one of the most targeted sectors is likely to continue as threat actors can achieve economies of scale when targeting technology companies. Moreover, vulnerabilities might be overlooked due to the lack of clear roles and responsibilities when it comes to managing cyber risk in many of these vendor-supplier relationships.

E-commerce platforms, which have experienced a surge in sales in the current contactless economy, are also lucrative targets for threat actors. These platforms’ supply chains are usually extensive and complex, consisting of a wide spectrum of suppliers, including retailers, payment service providers and logistics partners. This provides multiple potential points-of-entry that threat actors can exploit to gain access to personal details and financial records of millions of users. 

A Challenging Collective Responsibility for All Enterprises 

Almost every enterprise today is part of an intricate network—providing digital services and products to enterprises and individuals on the one hand; leveraging the platforms and digital tools from others on the other. As supply chain cyberattacks continue to grow, every enterprise will have a role to play in maintaining and enhancing the cyber defence of their industry and nation, and that is by strengthening their security posture. 

After all, enterprises are only as strong as the weakest link. A successful cyberattack on one company can set off a chain reaction, allowing threat actors to compromise the network of other organisations that are connected to it. This makes it crucial for organisations to not only secure themselves, but to extend the same security considerations to the suppliers and vendors that interface with their networks and systems. 

In 2021, the Singapore government is planning to roll out a voluntary SG Cyber Safe Trustmark initiative where enterprises can demonstrate that they have met specific, pre-determined cybersecurity standards. This enables organisations to select partners or service providers with the requisite cybersecurity assurance levels to meet their needs. This will make strong cybersecurity a clear competitive advantage for enterprises, and incentivise more of them to strengthen their security posture, leading to a more secure and resilient supply chain ecosystems. 

However, due to COVID-19, the scales are tipped against many enterprises when it comes to cybersecurity.    

For many, a significant number of their employees are still accessing corporate services through their mobile devices and home networks, away from the normally well-defended enterprise networks with appropriate perimeter defences. 

Moreover, the rushed implementation of remote working technologies, including virtual private networks (VPNs), may expose enterprises to poorly-configured solutions which threat actors can exploit.

Enterprises are also seeing new waves of phishing campaigns as threat actors exploit COVID-19 to launch more effective social engineering attacks. In Singapore, Ensign found that COVID-19-themed phishing attacks started picking up momentum in March this year. By April, the frequency of attacks surged by more than 100 times as threat actors continue to capitalise on the pandemic to advance their interests. 

More worryingly, in a COVID-19 related phishing exercise conducted by Ensign, more than 35% of the organisation’s employees clicked on the link in the mock phishing email, and provided their personal information. This is 10% higher than the average result of past exercises. This proves that despite the normal level of vigilance observed in enterprises, a well-crafted phishing campaign exploiting the situation can still deliver exceptional results. 

Building the Foundation for their Future Cybersecurity Strategy 

While the security challenges that enterprises face are significant, they are not impossible to overcome. As enterprises undergo large-scale transformation, they can use this opportunity to ensure cybersecurity is designed and planned alongside any digital or remote working initiative. This will help enterprises develop more robust cyber defences so that they can emerge from the pandemic even more secure and digitally resilient than before. 

For enterprises who are now looking at longer-term, future strategy to build digital resilient organisations, here are the foundational steps that they should consider:

• Leverage behavioural-based threat detection capabilities: As enterprises move towards an environment where cyber threats and vulnerabilities are emerging faster than ever, they need to adopt a more proactive strategy to threat detection. They can consider tapping on behavioural-based threat detection capabilities that can evolve alongside cyberthreats through deep and machine learning models. 
• Perform cyber risk assessments: As remote working solutions are implemented, enterprises need to perform risk assessments of these solutions, and adopt security-by-design principles to ensure adequate security measures are in place.
• Improve employees’ situational awareness: Enterprises should continue to improve the security awareness of employees and carry out regular phishing exercises with varying scenarios and cybersecurity awareness training to enhance employees’ situational awareness and resilience to such malicious campaigns.
• Manage supply chain risks: Enterprises should recognise that their suppliers and service providers contribute to their cyber risk exposure. They can explore maintaining an inventory of key suppliers and service providers which key business activities depend on in the cyber supply chain, and then establish an assessment and enforcement regime on them to maintain an acceptable risk position. 

Cybersecurity as a Business Enabler is No Longer Platitude

In today’s landscape, cybersecurity is no longer just risk mitigation measures, but a competitive advantage that can contribute to the growth of the company. Potential enterprise customers, such as top financial institutions, and even government agencies, are now increasingly requesting for cyber assurance from suppliers and service providers. For companies that are not adequately secure, they could be out of the running for profitable contracts and sizable revenue from more and more organisations. 

Although the concept of cybersecurity as a business enabler has been around for a few years, it has never been truer than now. For astute enterprises with an eye to the future, what is vital now is to build up a solid cybersecurity foundation for their organisation, and start developing a long-term cyber defence strategy. This will help them seize current opportunities, and position themselves ahead of their competitors in the future. 

The writer is vice president, managed security services, at Ensign InfoSecurity