Over the past few years, there has been an exponential surge of cyberattacks globally. New technologies, a proliferation of threat actors, greater sophistication and innovation skills invested in the cyber-underworld are all converging with the radical expansion of our digital world.
This month, Statista forecast that global cybercrime costs would rise by 69,94% between 2023 and 2028, reaching the stratospheric high of $13,82-trillion. By contrast, Gartner has projected that global cybersecurity and risk management spending in 2024 will total $215-billion. While this disparity is significant and troubling, this is a 14,35% increase over 2023, and notably, a higher rate than the 8% growth projected for all the rest of the global IT spend.
Anthony Watson, executive risk consultant at Escrowsure, says: “These forecasts highlight how cybercrime has rapidly become ‘Big Business’ across the world. Today’s threat actors are not just scammers trying their luck but include highly organised cybercrime syndicates, well-funded state-sponsored cybergangs and leading-edge bands of advanced hacktivists.
“Financial institutions are of course, amongst the top targets for threat actors, and we’ve recently had Manoj Puri, Absa chief information security officer reveal in the media that the bank has experienced a 400% increase in cyberattacks over the two years that he has been in the role with millions of attacks taking place every month.
“It’s not just the intensification in number of cyberattacks that’s a challenge, digitisation has swiftly expanded the attack surfaces of both corporate and government institutions. These digital territories that must be safeguarded now include all the attack surfaces of their third-party suppliers, and in turn, those of their fourth-party suppliers.
“Establishing adequate defences and responding to ever-evolving threats has never been so complex and gruelling, and so critical to business continuity.”
While the threat actors’ goal is ultimately money, making hostages out of data and software is their common strategy. Ransomware, denial-of-service and supply chain attacks can all cut companies off from their access to the software that powers their businesses. Malicious attacks may specifically target software source code to lock out legitimate users, disrupt operations and prevent business as usual.
Ryan Boyes, governance, risk and compliance officer of the Galix Group, says: “In general, cyberattacks are picking up in all areas however there are increasingly significant risks to organisations surrounding third-party source code. We are seeing threats to software source code such of Man-in-the-Middle Attacks (MitM), Backdoor attacks, Source Code Leaks and Code Injection to name a few.
“There have been many incidents and unfortunately, this trend will continue. A pattern is emerging regarding supply chain attacks. Typically, these attacks target the software supply chain directly and compromise the trusted third-party software providers. This is done to distribute malicious code to their customers. Unfortunately, as digital information is so fluid, the ways in which it can move makes it a lot harder to track, monitor and manage.
“We are also seeing threat attackers using more Sophisticated Attack Techniques such as supply chain attacks, typo squatting and dependency confusion to insert malicious code into widely used libraries and tools.”
Through a wide range of tactics, threat actors are constantly trying to infiltrate the networks of financial organisations and those of their suppliers. Once they have compromised the attack surface, they release applications which can systematically encrypt data as well as software. Decryption keys are then offered in return for non-traceable payments, often in crypto currencies.
More often than not, the price of the ransom is just a drop in the ocean when it comes to the other damages to the business under attack. It’s not just the frequency of cyberattacks that has spiralled, it’s also the severity. Research shows that institutions are facing significant, rising financial losses and recovery is becoming more and more prolonged.
Watson comments: “In its State of Ransomware in South Africa 2024, cyber security provider Sophos, reports the average cost of recovery incurred by South Africa organisations excluding ransom payments runs to over $1-million and 26% of organisations require between one and six months to recover to full operational capacity.
“This underscores the urgency for South Africa’s financial sector to become meticulous when it comes to cyber hygiene and shows why cyber hygiene across the entirety of an organisation’s attack surface has become a crucial factor in the risk assessment and selection of third-party software suppliers.
“While the concept of cyber hygiene includes a range of practices to maintain the health and robustness of interconnected operating systems, we are seeing software escrow emerging as a key cyber hygiene protocol that helps to address the inherent third-party software vulnerabilities.”
How can companies improve safeguarding third-party software?
Boyes says: “A good start is having your inventory mapped. This can mean defining a data flow and understanding how information moves across the organisation, and all relevant dependencies. We are also seeing an increase in performing third-party risk assessments specific to your interactions.
“This is a good way to check make sure that some level of industry best practice is followed. In line with this, many organisations themselves lean into compliance standards such as ISO 27001 and frameworks such as CIS and NIST amongst others.
“You also need to ensure you have the right contracts in place and that there is a level of vulnerability management involved to perform automated scanning. Tying this in with patch management will assist in rolling out updates promptly to third-party components.
“The biggest thing is performing an assessment to identify what you have and what level of mitigation you need. The old saying, “you can’t manage what you don’t know” is very applicable here.”
Risk mitigation when it comes to third-party software vulnerabilities has also put software escrow in the spotlight. This is an internationally accepted best practice for managing the risks associated with relying on third-party software providers. It involves a customised legal agreement to safeguard source code and make it available to the user in the case of clearly defined trigger events that threaten business continuity, such as cyberattacks that compromise access to and the integrity of source code.
Watson concludes: “While software escrow obviously cannot prevent a cyberattack on a third-party software supplier, it does provide corporate and government entities with a vital failsafe in the event of source code being encrypted or tampered with during a cyberattack.
“Software suppliers, which include fintech start-ups, allocate a cyber budget that cannot compare to the big corporates they do business with. It’s inevitable that their resources to protect their attack surfaces are going to be less than those of any major bank or insurance company.
“Therefore, building an affordable solution such as software escrow into their offering is going to help them better meet their clients’ cybersecurity and business continuity requirements.”