Cyber attacks on third parties raise risks for SA financial services

Global cyber crime costs are on the rise.

---

Over the past few years, there has been an exponential surge of cyber attacks globally. New technologies, a proliferation of threat actors, greater sophistication and innovation skills invested in the cyber underworld are all converging with the radical expansion of our digital world. This month, Statista forecast that global cyber crime costs would rise by 69.94% between 2023 and 2028, reaching the stratospheric high of US $13.82 trillion. By contrast, Gartner has projected that global cyber security and risk management spending in 2024 will total $215 billion. While this disparity is significant and troubling, this is a 14.35% increase over 2023, and notably, a higher rate than the 8% growth projected for all the rest of the global IT spend.

Executive Risk Consultant at ESCROWSURE, Anthony Watson, says: “These forecasts highlight how cyber crime has rapidly become ‘big business’ across the world. Today’s threat actors are not just scammers trying their luck, but include highly organised cyber crime syndicates, well-funded state-sponsored cyber gangs and leading-edge bands of advanced hacktivists.

"Financial institutions are, of course, among the top targets for threat actors, and we’ve recently had Manoj Puri, ABSA Chief Information Security Officer, reveal in the media that the bank has experienced a 400% increase in cyber attacks over the two years that he has been in the role, with millions of attacks taking place every month. It’s not just the intensification in number of cyber attacks that’s a challenge; digitisation has swiftly expanded the attack surfaces of both corporate and government institutions. These digital territories that must be safeguarded now include all the attack surfaces of their third-party suppliers, and in turn, those of their fourth party suppliers. Establishing adequate defences and responding to ever-evolving threats has never been so complex and gruelling, and so critical to business continuity."

While threat actors’ goals are ultimately money, making hostages out of data and software is their common strategy. Ransomware, denial-of-service and supply chain attacks can all cut off companies from their access to the software that powers their businesses. Malicious attacks may specifically target software source code to lock out legitimate users, disrupt operations and prevent business as usual.

Ryan Boyes, Governance, Risk and Compliance Officer of the Galix Group, says: “In general, cyber attacks are picking up in all areas; however, there are increasingly significant risks to organisations surrounding third-party source code. We are seeing threats to software source code such as man-in-the-middle attacks (MitM), backdoor attacks, source code leaks and code injection, to name a few. There have been many incidents and, unfortunately, this trend will continue. A pattern is emerging regarding supply chain attacks. Typically, these attacks target the software supply chain directly and compromise the trusted third-party software providers. This is done to distribute malicious code to their customers. Unfortunately, as digital information is so fluid, the ways in which it can move makes it a lot harder to track, monitor and manage. We are also seeing threat attackers using more sophisticated attack techniques, such as supply chain attacks, typo squatting and dependency confusion to insert malicious code into widely used libraries and tools.”

Through a wide range of tactics, threat actors are constantly trying to infiltrate the networks of financial organisations and those of their suppliers. Once they have compromised the attack surface, they release applications that can systematically encrypt data as well as software. Decryption keys are then offered in return for non-traceable payments, often in crypto-currencies. More often than not, the price of the ransom is just a drop in the ocean when it comes to the other damages to the business under attack. It’s not just the frequency of cyber attacks that has spiralled, it’s also the severity. Research shows that institutions are facing significant, rising financial losses and recovery is becoming more and more prolonged.

Watson comments: “In its State of Ransomware in South Africa 2024, cyber security provider Sophos reports the average cost of recovery incurred by South African organisations excluding ransom payments runs to over US $1 million, and 26% of organisations require between one and six months to recover to full operational capacity. This underscores the urgency for South Africa’s financial sector to become meticulous when it comes to cyber hygiene and shows why cyber hygiene across the entirety of an organisation’s attack surface has become a crucial factor in the risk assessment and selection of third-party software suppliers. While the concept of cyber hygiene includes a range of practices to maintain the health and robustness of interconnected operating systems, we are seeing software escrow emerging as a key cyber hygiene protocol that helps to address the inherent third-party software vulnerabilities.”

Boyes says: “A good start is having your inventory mapped. This can mean defining a data flow and understanding how information moves across the organisation and all relevant dependencies. We are also seeing an increase in performing third-party risk assessments specific to your interactions. This is a good way to check make sure that some level of industry best practice is followed. In line with this, many organisations themselves lean into compliance standards such as ISO 27001 and frameworks such as CIS and NIST, among others. You also need to ensure you have the right contracts in place and that there is a level of vulnerability management involved to perform automated scanning. Tying this in with patch management will assist in rolling out updates promptly to third-party components. The biggest thing is performing an assessment to identify what you have and what level of mitigation you need. The old saying, 'you can’t manage what you don’t know' is very applicable here.”

Risk mitigation when it comes to third-party software vulnerabilities has also put software escrow in the spotlight. This is an internationally accepted best practice for managing the risks associated with relying on third-party software providers. It involves a customised legal agreement to safeguard source code and make it available to the user in the case of clearly defined trigger events that threaten business continuity, such as cyber attacks that compromise access to and the integrity of source code.

Watson concludes: “While software escrow obviously cannot prevent a cyber attack on a third-party software supplier, it does provide corporate and government entities with a vital failsafe in the event of source code being encrypted or tampered with during a cyber attack. Software suppliers, which include fintech start-ups, allocate a cyber budget that cannot compare to the big corporates they do business with. It’s inevitable that their resources to protect their attack surfaces are going to be less than those of any major bank or insurance company. Therefore, building an affordable solution such as software escrow into their offering is going to help them better meet their clients’ cyber security and business continuity requirements.”