APAC firms need to build trust, brace for more third-party attacks

More businesses are expected to appoint chief trust officers to drive their focus on security and risk management, which may be necessary this year as ransomware and supply chain attacks are projected to escalate.
Written by Eileen Yu, Senior Contributing Editor

Organisations worldwide including in Asia-Pacific are expected to increase their focus on building trust, with several appointing chief trust officers to lead efforts. The move will be necessary especially as ransomware and supply chain attacks are projected to escalate this year.

At least five global companies currently have dedicated executive roles that oversee trust matters. None are from Asia-Pacific, according to Jinan Budge, principal analyst with Forrester, where she looks at Asia-Pacific security and risk research.

She pointed to a 2022 prediction, in which Forrester expected at least 15 Global 500 organisations to appoint chief trust officers. Reporting directly to their CEO, these roles initially would look at security, privacy, and risk management, before expanding their efforts to encompass brand strategy, corporate values, and other human-centric aspects of trust.

Other organisations also were expected to add such responsibilities to an existing C-level executive, such as chief information security officers, according to the Forrester report, which Budge co-authored.

The analyst told ZDNet that Asia-Pacific enterprises must start looking more closely at the issue of trust, especially as such discussions surfaced amongst consumers.

She noted that privacy and confidentiality were the top five priorities for consumers in Asia-Pacific when they made online purchases.

She added that Forrester expected two chief trust officers appointed this year to be from this region.

Apart from the need to build trust, enterprises also should be concerned about brain drain in the security sector, she said.

One in 10 experienced security professionals were expected to exit the industry this year, according to Forrester's predictions. With more than 3 million roles already unfilled globally, the lack of talent in security would be further compounded as executives suffered from burnout.

Forrester's 2021 figures revealed that 51% of cybersecurity professionals experienced extreme stress, while 65% said they considered leaving their job due to work stress as well as poor financial incentives and limited promotion and career development.

Budge noted that the brain drain also would impact organisations in Asia-Pacific and affect all aspects of cybersecurity, including national security.

She urged businesses and chief information security officers to address the issue by looking at ways to attract and retain stuff. These should include efforts to reduce team burnout, create opportunities for career development, and nurture a good culture.

Supply chain attacks likely to escalate

Asked about security challenges that would escalate this year, Yihao Lim, Mandiant Threat Intelligence's principal intelligence advisor, said third-party attacks would continue to persist because they were difficult to detect and combat.

Third parties were trusted source and organisations often push out software patches and updates from these partners without first testing them in a sandbox, Lim said in an interview. These sometimes would be applied directly on production servers, resulting in malware being deployed without much scrutiny.

Third-party suppliers served as pivot points for hackers targeting businesses in the wider ecosystem, he added. Pointing to high profile supply chain attacks such as SolarWinds and Kaseya, he noted that these involved applications that were used by multiple customers and were highly reputable.

Forrester predicted that third-party attacks would account for 60% of global security incidents in 2022, with 55% of security professionals acknowledging their organisation last year experienced a security incident or breach involving supply chain providers. Some 27% of organisations experienced at least 10 such disruptions in 2021, compared to just 4.8% the year before.

The research firm underscored the need for companies to deploy tools for risk assessment, supply chain mapping, real-time risk intelligence, and business continuity management.

Budge added that while these attacks were not new, they were expected to increase as the pandemic further accelerated the growth and expansion of third-party ecosystems. Companies were not only tapping the innovation of external partners rather than developing their own products, but also collaborating with third parties to drive their digital engagement with customers.

Furthermore, Asia's role as a major manufacturing hub made the region a bigger target of supply chain attacks, said Righard Zwienenberg, ESET's senior research fellow.

He, too, expected such attacks to likely worsen this year.

Zwienenberg noted that the change in work environment due to the pandemic provided cybercriminal with a lot more options in seeking out vulnerable systems, including those that resided within the wider supply chain ecosystem.

These could comprise non-IT suppliers that might not know how to ensure their networks and data were adequately secured in a remote or hybrid work infrastructure, he said.

Security risks from the accelerated shift to remote work were likely more prevalent in Asia-Pacific, he added, where organisations were less accustomed to such work practices. This meant they were less prepared in facilitating the move, while maintaining their overall security posture.

Vulnerabilities on employees' personal devices or home routers brought new threats to corporate networks, he said. If enterprise networks were not segmented as a security measure, ransomware then could easily spread and move to the wider supply chain ecosystem.

Zwienenberg suggested that organisations mitigate such risks by restricting user access to what was essential to their job, so they did not have access to the entire corporate network.

Access segmentation would enable companies to quickly isolate systems in the event of a security incident or breach, and prevent the rest of their network from being compromised, he said.

They also should implement other security tools such as multifactor authentication, network monitoring, and threat detection, he added. For instance, companies should be able to detect if an employee's home router was unsecured and deny access.

He noted that there still were many organisations in Asia-Pacific that did not have such tools in place to ensure their networks were secured.

Interestingly, Forrester had forecasted insider threats to climb significantly in 2021, but this did not materialised. In fact, incidents of insider threats fell last year, Budge said.

She theorised that this mismatch might be due to the shift towards remote work, which impacted organisations' ability to effectively detect insider threats.

Because it became difficult to determine what was "normal" behaviour within the network, due to the change in how users accessed corporate data, companies likely were unable to detect insider threats even if these surfaced.

The ability to do so may prove critical as ransomware attacks are expected to further gain ground.

Lim noted that ransomware and extortion incidents saw significant growth last year and would continue to climb this year.

Threat actors had been proactive in attempts to shame their victims, for example, by contacting media agencies with proof they had access to the victim's systems. They would do so to get the attention of the victim, which could be a high profile financial company, knowing that data leaks would have repercussions such as lawsuits and damaged reputation for the victim.

Such extortion attempts had been highly effective, he said, adding that they would continue to escalate this year amidst the public attention and profits they generated for cybercriminals.

"Shaming victims is effective because, especially in Asia-Pacific, organisations would try to keep security breaches confidential and would not even admit them when asked. Now, they can't even play dumb because hackers are shaming them publicly," Lim said.

By identifying their victims and demonstrating they had access to customer information, cyber attackers were establishing some form of non-repudiation, in which businesses could no longer deny they suffered a security breach. This added pressure on them to pay the ransom to prevent their customers' data from being leaked, he noted.

"The hackers know it's lucrative, so this trend will continue to persist this year," he said. He advised organisations to consider all legal and regulatory implications if they had operations in countries such as the US, where they might be sanctioned if they paid up ransom in state-sponsored attacks.

Growing geopolitical tensions can drive cybersecurity threats

In fact, an increasingly unstable global geopolitical landscape could fuel cyberattacks, including those targeting critical information infrastructures (CII), said Acronis' co-founder and chief research officer Serguei Beloussov, in a video interview with ZDNet.

Pointing to increased tensions between countries such as the US, Russia, and China, he said these could lead to more attacks that disrupt national infrastructures.

Security risks were further exacerbated with hacking tools readily available online, Beloussov said. The number and sophistication of such tools not only had increased, but also were more varied, making cyber attacks more efficient and inexpensive to launch.

This could lead to more ransomware attacks against smaller targets such as small and midsize businesses and individuals, he said. While these were less profitable, the wide variety and availability of tools made it easier for hackers to expand the spread of their targets for more returns.

Voicing his concerns about raising geopolitical tensions, he said this might push governments to focus on developing cyberweapons. This, in turn, likely would lead to such tools eventually finding their way out of cyber laboratories, and into the hands of conventional bad guys.

Beloussov said: "Imagine a scenario when a government launches a cyber attack on another government, and a cybersecurity company detects the activity and investigates it. It figures out how the attack is carried out and publishes the details, from which the bad guys then are able to learn from."

Be it ransomware or supply chain attacks, Budge said the fundamentals remained important in managing security threats. Regardless of the type of attack or vulnerabilities, the analyst advised companies to be strategic and avoid a knee-jerk reaction to security.

Beloussov also underscored basic things businesses should do to better safeguard against security threats, including running security tools on their systems and devices and maintaining backups of their data.

Beyond securing physical access, they should ensure all systems were regularly checked and updated and properly configured, he said.

"The important thing is to take the common sense approach and adopt basic precaution, such as running penetration and vulnerability," he added. "You need to know how well prepared you are in dealing with all types of attacks."

Zero trust slow to gain momentum in Asia-Pacific

And while zero trust had been widely pitched as an essential cybersecurity framework, Budge noted that its adoption remained low in Asia-Pacific for various reasons. First, its label had led to confusion in a region where many cultures were built and reliant on trust.

Second, Asian markets largely were risk adverse, she said, with companies only moving to adopt something when another had actually done so. This was starting to change, with more organisations over the past 12 months taking their first steps towards zero trust.

However, it required significant transformation on the company's part, encompassing added investment in technology, resources, and culture. Not all organisations in Asia-Pacific had sufficient people or resources to adopt a zero trust architecture, she said, adding that this also had resulted in its low adoption.

Furthermore, vendors in the region were touting such tools as the panacea and silver bullet to  everything related to security. This would not sit well with businesses here, Budge said.

Citing figures from Forrester, she noted that just 13% of security leaders in Asia-pacific described zero trust as a top strategic cybersecurity priority in 2021.

According to Lim, Singapore's take on "assume breach position" underscored the importance of zero trust mindset.

He noted that businesses should consider two key points this year, with regards to security. First, apply principles of least privilege in establishing the types of network access. Users should only be given access to what they needed for their role and this should be regularly reviewed, especially as employees move from one department to another, he said.

Echoing Zwienenberg's advice, Lim also recommended companies put in place some form of network segmentation, which would help prevent widespread outage when a security incident occurred. Networks could be segregated by functions, enabling attacks to be contained within a zone so an affected section would not affect another.

He further emphasised that moving to the cloud did not necessary mean an organisation's environment would be fully secured.

He pointed to the shared responsibility model adopted amongst most cloud providers, he said customers also had to ensure due diligence in securing their own environment, such as implementing the right configuration and administrative tasks.

Shared responsibility models typically outlined security boundaries that were under the cloud vendor's purview and those that should be undertaken by the customers. 


Editorial standards