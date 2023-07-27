Alastair Miller is principal advisory consultant at Aura Information Security.

OPINION: We are just a small country at the end of the Earth. So why are we seeing big overseas cybercrime organisations targeting our small third-party service providers in Aotearoa?

It’s all due to a clever tactic being leveraged by hackers to find a less secure backdoor into more lucrative organisations.

You see, the world of enterprise technology is very interconnected. Organisations rely on a vast array of vendors – from cloud hosts and software platforms to managed service providers – to make their business tick. This also means that most big companies are sharing access to their IT systems with a large number of third parties.

The logic behind a third-party breach is simple. If a hacker can infiltrate an IT provider, they can use that as a stepping stone to reach their real target – the provider’s customers.

Recently breached third parties in this country have inadvertently given cybercriminals access to government organisations, emergency services, telcos and insurers, among other clients – all of which hold vital confidential information about thousands of Kiwis who place trust in these providers to safeguard their information.

So it’s not hard to see why these are such attractive targets. When hackers successfully target the right service provider, they open themselves up to a goldmine of information and potentially millions of dollars in returns.

Globally, this has been a very successful strategy for cybercriminals. Just look at the recent breach of file-sharing platform MOVEit, which has compromised more than 120 companies globally, including HR and payroll software third-party supplier Zellis, whose clients include BBC and British Airways.

It was only a matter of time before we saw this trend making waves here in New Zealand.

Kordia recently surveyed leaders of large businesses in New Zealand, and found 28% of recent cyberattacks on surveyed businesses came via a third-party supplier.

And this line of attack is likely to continue, with hackers becoming more innovative. AI and other forms of technology are constantly evolving, and threat actors are quick to exploit new tech to their advantage.

The hackers’ approach

It’s simple for a hacker to figure out which third party is a desirable target, thanks to open-source intelligence (OSINT).

With the vast amount of information available in the public sphere, they only need to visit a company’s website to get an understanding of who their clients are.

Companies give away more clues through the information they share on social media and in other channels, giving hackers more than enough easily acquirable intelligence about their target.

It's not just big businesses with big customer numbers that are appealing to hackers. Small businesses are still quick and easy targets, even if they are a secondary target within a larger third-party breach. This is why it’s so important to remember that you are still accountable for your information, even if you’ve handed it over to another business.

Likewise, under the Privacy Act, a business is still accountable for its data even if it’s not at fault through a direct data breach.

This means if one of your third-party providers – whether that be a managed service provider, payroll provider, contractor, consultant or otherwise – gets impacted by a data breach, you’re still accountable for your data that they are holding.

Unsplash If a hacker can infiltrate an IT provider, they can use that as a stepping stone to reach their real target – the provider’s customers (file photo).

Mitigating risk

So what can you do to mitigate this risk?

Undertaking risk assessments of your current and future third-party providers is a good place to start. This means asking questions and gaining an understanding of each individual organisation’s cybersecurity posture so you can make informed decisions about who you entrust your data with.

One thing often not known is that when working directly with third parties, you should be encrypting all confidential information you share with them, and not sharing the encryption key at the same time or place as the files themselves.

If you are caught up in a third-party data breach, then business continuity is key. Having an incident response plan ready to go will ensure you’re prepared to handle the consequences of the breach. This should include how you plan on managing the situation internally and externally, details on how to inform people who may be involved, and a plan to switch providers in the interim.

Attacks on third-party providers are a growing trend in cybercrime right now and this is only going to continue its upward trajectory.

The best thing businesses can do to protect themselves is to be prepared for an attack and ensure they are working with like-minded organisations that are also prepared and manage confidential information correctly.