Zero Trust & Basic Cyber Hygiene: Best Defense Against Third-Party Attacks


Since the beginning of the year, there has been a slew of third-party cybersecurity attacks, with the repercussions affecting a number of companies in Singapore and across Asia. 

Personal information of 30,000 Singaporeans could have been unlawfully accessed last month as a result of a violation that targeted a third-party vendor of the Jobs and Employability Institute, a job-matching organization (e2i). The personal information of 580,000 Singapore Airlines frequent flyers and 129,000 Singtel customers was also compromised earlier this year due to third-party security breaches. 

A zero confidence architecture, according to Acronis CEO Serguei Beloussov, may have avoided third-party attacks like those involving Accellion and SIA. In terms of how supply chains are secured, he said, security policies should be enforced and followed. He emphasized the importance of monitoring and controlling as well as performing vulnerability assessment and penetration testing should be carried out. 

Kevin Reed, Acronis' chief information security officer (CISO), said that companies must be aware of who and what is accessing their data. This meant they'd have to evaluate their partners' trustworthiness on a regular basis, rather than only when a new contract was signed, he explained. 

To limit the risks of engaging with these suppliers, Finkelstein recommends questions should be asked about security measures they had put in place and whether connections with these suppliers were secured. According to Reed, prevention would be crucial. Since the majority of security threats today are opportunistic, he believes that organizations would be able to thwart the majority of them if they take preventative steps to reduce their chances of being hacked. 

The way to mitigate the risk to businesses is by adopting better data management and replacing old technology. Beloussov said it concisely: "Nothing that is more than a few years old is healthy. It is possible to penetrate a structure constructed 20 years ago. You have to constantly check and update the system. 

CyberGRX's CISO Dave Stapleton pointed to the attack on SITA, whose effect on some airlines could be comparatively small due to the types of data exchanged. This may mean good data management practices such as data segmentation and categorization, in which not all pieces of information are stored in the same database and data access is limited to particular functions. 

According to Reed, the security industry too had evolved over time, And, he added, with today's programming compilers and frameworks, the software is more stable, with security built-in by design.