Organizational cybersecurity is only as strong as the weakest link.
Imagine you run a high-profile telco upon which tens of thousands of businesses depend for their connectivity needs. Due to heavy penalties for network outages, your cybersecurity has to be airtight at all times.
And then something happens: a vendor that has access to your networks is the one getting hacked. Result: your customer data still ends up getting compromised. That is what happened with Singtel in Singapore, which last week faced this situation.
The attack on its vendor Accellion had affected a file-sharing system that Singtel used internally and with external stakeholders: “Files were taken”, said Singtel, and the File Transfer Appliance was deployed as a standalone system.
This incident highlights how total security involves not only an organization’s networks but even “standalone” data systems and every vendor that has access.
According to a spokesman from Synopsys Software Integrity Group, senior security engineer Boris Cipot, defining a highly effective security strategy is not only about keeping attackers away from your resources: “It is also about preparing for potential worst-case scenarios in the event that attackers do succeed. In this case, Singtel and their file-sharing supplier, Accellion, were prepared. Upon realizing they had been breached, Accellion notified customers, issued a press release disclosing the situation, and notified authorities. They halted the use of the breached system so that appropriate steps can be taken to investigate the resulting impact to their business and their customers.”
According to Cipot, organizational security strategies must account for all internal and external resources in use. The level of maturity of vendors’ security strategies can directly affect any organization’s security stance as well.
“Simply put, your firm’s security stance is only as strong as that of your vendors’. Know what hardware and software are in use, have detailed information about software versions, plugins, patches that have been deployed, and ensure versions are up-to-date as a baseline.”