Third-party cyber breaches give local CISOs sleepless nights

South African-based chief information security officers (CISOs) have expressed huge concerns about how third-parties are increasingly exposing businesses to cyber attacks.

The CISOs were speaking yesterday during the inaugural ITWeb Brainstorm CISO Banquet, hosted as part of ITWeb's annual Secueity Summit and in partnership with MTN Business.

The CISOs' worries are escalating as more South African organisations fall victim to cyber attacks.

According to the CISOs, South Africa ranks as the third most attacked country in the world in regards to cyber crime, making the role of the CISO critical.

As a result, the leading cyber security experts called for more collaboration with their third-party suppliers in order to close the security gaps.

Speaking at the event, Manoj Puri, chief security officer at Absa Group, said organisations’ networks are now more connected, hence the need for increased collaboration to mitigate cyber risks.

According to Puri, Absa has about 10 000 third-party partners and the bank works around the clock to ensure their security systems are up to scratch.

Last year, Debt-IN Consultants, a debt recovery solutions partner to many South African financial services institutions, revealed that a ransomware attack by cyber criminals resulted in a significant data breach of consumer and employee personal information.

This is one example where a third-party’s IT systems was compromised, thereby exposing many banks’ customer data to cyber criminals.

Risky relationships

“Understanding the risks that the third-parties can introduce to us is critical. Any relationship with them brings cyber risks to us. We have seen a lot of recent breaches coming from third-parties,” Puri said.

“What I have observed is that we are all facing similar threats and we are starting to work together against these challenges.”

However, he pointed out that although there is some collaboration, it’s still not enough. “This is because we are failing to learn from others. We can only learn when we are not afraid to speak about our own vulnerabilities, ask for help, and then control the environment.

Manoj Puri, chief security officer at Absa Group.
Manoj Puri, chief security officer at Absa Group.

“We are all now connected, such that a breach in one firm puts our shared customers’ data at risk. We have to understand that a security incident in one of us has a huge impact on all of us. We need to find more ways of collaborating more than we are currently doing,” Puri said.

He emphasised that it is important that organisations maintain cyber hygiene. “We can talk about all the tools and all the good stuff that we can buy, but if cyber hygiene is not right, we will be in trouble.

“We also need to collaborate with vendors, as our networks have become more connected and more data is being shared with third-parties. As CISOs, we need to explain to the board and exco that we are not only looking to protect our organisation, but to also ensure the third-parties are secure.”

No easy feat

Also speaking at the event, Justin Williams, head of group information security at MTN Group, shared similar sentiments.

According to Williams, being a CISO is not an easy job. “We have to understand all the aspects of the business, all the risks that affect a business and how to mitigate them while depending on many people.

“We have to deal with third-parties across the supply chains. We have to deal with issues and incidents at the most inconvenient times. It’s not easy.

“It pains me every time I seen an organisation making headlines because of a cyber security event – whether it’s a data breach, a ransomware attack or an extortion attack. This is because somewhere out there, there is another CISO working more hours under extreme stress, while trying to keep the team together – if they have a team at all.”

Williams added that when the dust settles and the CISO gets a little insight of what actually happened, they always realise there were third-parties involved.

“These third-parties do not only provide services to the organisation involved in the cyber incident, but to all of us. So the impact always goes beyond that particular organisation that has been breached and indirectly impacts all of us. So we need to protect the entire ecosystem and none of us can do it alone.”

Justin Williams, head of group information security at MTN Group.
Justin Williams, head of group information security at MTN Group.

Williams pointed out that organisations should ensure the third-parties also have robust cyber security systems in place.

“We need to have sound hygiene practices on cyber security. We need to have standard clauses to all our contracts with third-parties that require them to enforce security on the entire ecosystem.

“It shouldn’t be seen as an extraordinary request leading to lengthy debates. It should also not be seen as a way of blocking somebody from doing business with us, but as a general attempt to set a standard for doing business with us.

“We need to work with our suppliers for them to improve security for all of us,” said Williams.

CISO survey findings

During the event, ITWeb announced the preliminary results of the Security Summit CISO Survey, run in partnership with MTN Business.

The majority of surveyed CISOs (55%) have seen their budgets marginally improve in comparison to last year. Only 5% saw their budgets decreasing.

Asked what prevents or delays investment in IT security, 30% of respondents cited the costs involved, followed by 16% who pointed out it is difficult to determine the return on investment (ROI).

On the leading drivers for security expenditure, 26% of CISOs revealed it’s the need to protect customer data, enable business opportunities (16%), maintain data integrity (11%), protect IP (11%), compliance (8%), prevent downtime or outages (8%), protect other assets (8%) and protect reputation (8%).

Commenting on the findings, Adrian Hinchcliffe, editor-in-chief of Brainstorm magazine, said: “I think I was hoping for some interesting and unusual research findings, but the story is quite straightforward, and tracks with much of the narrative we’ve been covering in ITWeb and Brainstorm over the past few years.

Adrian Hinchcliffe, editor-in-chief of Brainstorm.
Adrian Hinchcliffe, editor-in-chief of Brainstorm.

“As CISOs, you’re telling us you’re concerned about the increasing complexity of the tech landscape and the evolution of cyber threats and their frequency, and while cyber security is seen as a board priority and budgets have increased over the past year, you still face challenges getting buy-in from all levels (from the board down to the users), as well as issues around funding, demonstrating ROI and facing a shortage of skills.”

He added that while phishing and ransomware are top external threats, insider threats are seen as a significant security risk.

“As such, I think we’re going to see a greater demand for user policies and training, as well as investment around that going forward. Ultimately, the CISO’s job is huge and it's only going to get bigger, more complex and more encompassing.”

Simphiwe Hlophe of the Department of Home Affairs, Itumeleng Makgati of Standard Bank, Eskom’s Sithembele Songo, Celia Mantshiyane of MTN, and Manoj Puri of Absa in a panel discussion at the ITWeb Brainstorm CISO Banquet. (Photograph by Lesley Moyo)
Simphiwe Hlophe of the Department of Home Affairs, Itumeleng Makgati of Standard Bank, Eskom’s Sithembele Songo, Celia Mantshiyane of MTN, and Manoj Puri of Absa in a panel discussion at the ITWeb Brainstorm CISO Banquet. (Photograph by Lesley Moyo)
See also