Taking responsibility for cybersecurity breaches
The recent spate of cyberattacks on organisations in South Africa, where data of South African citizens has been compromised, is shining a spotlight on cybersecurity, in particular, the management of data by third-party service providers.
Maher Yamout, Senior Security Researcher, Global Research & Analysis Team at Kaspersky, takes a closer look.
“Based on the reports of a recent cyberattack on a well-known pharmacy retailer, the breach can be attributed to a typical database exposure by the service provider. This has happened numerous times globally when companies hire a third-party to manage their software and data. The third-party creates a large database in the cloud without putting adequate security measures in place. Later, a researcher or threat actor might find it and either report the instance or expose the data,” says Yamout.
The financial consequences of these third-party incidents are significant. Research shows that the average cost of such a breach in 2021 across the Middle East, Turkey, and Africa (META) region was $915k. At a practical level, sharing data with suppliers significantly increases the attack surface requiring a more diverse set of protection methods.
“In today’s connected environment, businesses must repel the efforts of organised crime, rather than simply block malicious software. They need a combination of security technology, the analysis of external and internal cyber threat intelligence, constant monitoring, and the application of best practices for incident response.”
As a starting point, local companies must ensure they only share data with reliable third parties and extend their existing security requirements to suppliers. In the case of sensitive data or information transfers, third-parties need to provide all documentation and certifications that they meet regulatory requirements especially in the wake of the Protection of Personal Information Act (POPIA) coming into effect. In very sensitive cases, it is also advisable to conduct a preliminary compliance audit of a supplier before signing any contract.
“However, even if the company might not be an interesting target, it can still be used as a link to a greater delivery chain. This is especially the case if the data sets stored at third-party service providers are large. To mitigate any potential threat, defences like counteraction and detection to response are essential. Even forecasting possible risks can significantly enhance cybersecurity as this can flag any potential weak points in the overall chain of the organisation, suppliers, and other third-parties,” adds Yamout.
Third-party service providers might be less cautious about getting attacked or about protecting themselves. Threat actors therefore use their infrastructure as leverage for a successful attack on the primary target, such as the company transmitting the data.
“Good cybersecurity practice requires a multi-layered defence starting with the company itself. This sees a properly segmented corporate network with delineated access to different portions so that only employees entitled to do so have access to specific data. Third-party access must be heavily restricted, so nothing malicious slips through and gains access to anything important,” adds Yamout.
Ultimately, having access to comprehensive managed protection services will help local companies with not only their attack investigation and response, but also in effectively safeguarding data when moving it to a third-party service provider that has all the compliance checks in place.