SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Supply chain attacks remain large threat to enterprise
Fri, 6th Jan 2023
FYI, this story is more than a year old

Supply chain attacks will continue to be one of the biggest threats to enterprises using open-source software, according to new key trends from LogRhythm that will define the APAC cybersecurity landscape in 2023.

Kevin Kirkwood, Deputy CISO, says Asia-Pacific organisations are at the forefront of open-source software adoption, having observed the highest growth amidst the pandemic. However, the imperative concern of open-source security ensues. 

"With the regions high reliance on open-source software, organisations are likely to be perceived as prime targets to cyberthreats from supply chains," says Kirkwood. 

"In 2023, we will see bad actors attack APACs vulnerabilities in low-hanging open-source vendors with the intention of compromising the global supply chain that utilises third-party code," he says.

"In recent years, hackers have become more strategic when it comes to exploiting open-source software and code so 2023 will be no different. Bad actors examine the code and its components to obtain a thorough understanding of its flaws and the most effective ways to exploit them."

Kirkwood says most people think of supply chain attacks as an attack on the physical pipeline that will prevent one from producing physical products. 

"Software supply chain attacks are similar in nature to the physical world. Developers use libraries, executable code and code snippets to complete their software products," he says. 

"If those elements are compromised and malicious code is introduced to those elements, the end product produced becomes a vehicle for threat actors to compromise the product and potentially gain entry to the system that houses the software."

Blindspots to surprise businesses, as they cut corners to make ends meet in uncertain economic times

Kirkwood says that in tough economic times, an organisation'sC-suite will be focused on cutting what they perceive as non-essential costs and carefully analyse what they would choose to protect from a business perspective. 

"However, as organisations balance between international turning points and scaling down operations, threats will inevitably continue to evolve as cybercriminals take this chance to up their attack game during the recession," he says. 

"Therefore, it is crucial that all organisations, regardless of sectors, take on proactive security strategies, adopt frontline prevention and detection technologies together with other security tools that provide preemptive capabilities."

Organisations will reap the rewards of cybersecurity awareness efforts

Eric Hart, Manager, Subscription Services at LogRhythm, says with the rise in organisations falling victim to social engineering attacks over the past year, more organisations will look to invest in employee training programs to better detect threats. 

"2022 has seen some big names the likes of Microsoft, Cisco and Uber suffer breaches by way of multi-factor authentication (MFA) fatigue, phishing and other social engineering tactics," Hart says.

"Apart from software, investing in the people and incorporating cybersecurity education is just as important."

Hart says employees play a critical role in the fight against cyberthreats, despite often perceived as the weakest link. 

"When employees are equipped with the skills to detect, interpret and prevent threats from malicious hackers, it will reduce the possible costs of a breach," he says. 

"In 2023, we will see organisations credit their employees as instrumental to the discovery of cyberthreats and in protecting their business."

Organisations will feel the pressure of impending security standards

The U.S. Department of Commerce will partner with the ASEAN Consultative Committee on Standards and Quality (ACCSQ) to co-develop programs on digital trust and cybersecurity standards, with the goal of strengthening ASEANs digital trade ecosystem and enhancing regional connectivity. 

In line with managing and minimising risk, a research team from Nanyang Technological University Singapore, together with AI industry leaders have created a new standard on AI security. This was in response to the demand for securing the integrity of AI programmes and building trust in AI solutions.

"While these standards are designed to strengthen organisations, the process of reaching full regulatory compliance can be tricky," says Hart. 

"The complexity, along with the growing push for federally enforced compliance, suggests we could see a flurry of activity in 2023 as more organisations seek to adopt these new security standards."

Organisations will turn to subscription and managed services to better manage security

Hart says developing an IT budget has grown increasingly complex over the last few years, further amplified by the industry's skill shortage. 

"General sentiments of economic uncertainty have swept through nearly every sector, leaving executives with a bevy of difficult budgeting decisions," he says. 

"Ultimately, organisations will be looking to do more with less in 2023 or more with the same, in many instances. This will be especially evident among organisations in APAC, with almost half of the regions cybersecurity market predicted to be driven by managed security services in 2023."

According to Hart, one way organisations are hoping to accomplish this is through the prioritisation of subscription and managed services in their security budgets. 

"Lean IT teams will turn towards these services to fill internal skill gaps and help achieve organisational security goals, like improving maturity, unlocking 24x7 visibility and optimising threat detection and response," he says.

Wider talent gap for cybersecurity in APAC, this post pandemic world

According to Joanne Wong, Vice President of International Markets at LogRhythm, 60% of organisations in APAC reported a shortage in the cybersecurity workforce this year, with the region seeing the largest gap worldwide this year. 

"As the world opens up post pandemic, APAC's cybersecurity professionals will seek options to work in other places around the world, where job opportunities for such talent also abound," says Wong. 

"This challenge will become more pressing for APAC markets where theres a wide salary gap in comparison with developed markets, predominantly in the west," she says. 

"Businesses in APAC not only need to find ways to attract cybersecurity talent, they also need to nurture their existing cybersecurity teams. Offering learning and development opportunities that relate to fast-evolving cybersecurity technology will help keep them stay ahead of cyberthreats. 

"Where possible, embracing advanced cybersecurity technology will also help ensure that they stay efficient at their job," Wong adds. 

"For example, businesses could look into eliminating laborious and repetitive tasks of cybersecurity teams, by adopting automation technology and machine learning capabilities."