The cyber attack on the computer networks of the National University of Singapore (NUS) and Nanyang Technological University (NTU) last week has once again cast the state of Singapore’s cyber security into the spotlight.
According to the Cyber Security Agency, the attack appeared to be the work of advanced persistent threat actors who were looking to steal information related to government or research. The two universities have close research links with Singapore government agencies through projects such as self-driving buses.
The attack should come as no surprise. With the removal of Internet access from the work computers of civil servants, it was only a matter of time before hackers find creative ways to access government-related information through so-called supply chain vulnerabilities.
What this means is that instead of targeting victim networks directly, cyber attackers simply exploit any software or network loophole of a victim’s suppliers or partners to get to the victim itself.
This has long been a concern in cyber security circles, since it can be difficult for organisations to enforce or prescribe specific cyber security measures for suppliers and partners – beyond broad service level agreements. Prior to the NTU and NUS incident, groups such as APT10 have already launched campaigns to steal data from organisations via their managed service providers (MSPs).
Besides MSPs, SMEs (small and medium sized enterprises) that provide services to large enterprises are also prone to supply chain attacks. Many SMEs do not have dedicated IT departments, let alone security teams to fend off potential attacks.
So what can organisations do? For now, there are few standards that address cyber security issues related to the supply chain. The Payment Card Industry Data Security Standard (PCI DSS) is one of them. It not only offers vendor management guidelines, but also specifies safeguards such as the use of encryption.
More importantly, organisations should put in place a vendor management programme that includes identifying the most important vendors and requiring strict documentation of controls and processes. The programme should also be integrated with an organisation’s compliance practices. You can find out more in this guide by SANS Institute.
As for SMEs, the Singapore government has been working with industry bodies to promote awareness of cyber security among smaller firms in recent years. But it is uncertain if these awareness programmes have the intended effect, going by the data breaches that continue to make headlines.
Beyond awareness programmes, more tangible support is needed to improve the cyber hygiene of SMEs. This could take the form of a shared service where experts conduct annual cyber security audits for SMEs to determine areas that can be improved. This will also address the shortage of cyber security expertise that many SMEs are facing today.