Steve Smith (Advantage)
A rapid increase in so-called supply chain attack targeting third party technology vendors is putting the heat on chief information security officers (CISOs).
Some of the most significant cybersecurity breaches this year have been supply chain related, think SolarWinds, Accellion, Hafnium, and most recently, the Kaseya attack.
It is an issue only compounded by the COVID-19 pandemic, said the Auckland manager of security and IT services provider Advantage, Steve Smith.
The shift to remote work reduced the ability of security and IT teams to undertake due diligence when third party systems were being used while also broadening the potential attack surface for bad actors.
"If you look back two or three years, companies typically had just a few dozen third-parties in their ecosystem," Smith said.
"Today, according to the Ponemon Institute, enterprises are averaging thousands, often up to 6000 third-party vendors – that’s a lot of third-party risk to manage."
Smith said that is where CyberGRX comes in.
"We were introduced to CyberGRX through venture capital firm Telstra Ventures which has made some significant investments in the cyber security space," Smith said.
Indeed, it was the fact Advantage was already using two other systems out of the Telstra Ventures' toolbox -- Cofense and Attack IQ -- that prompted the approach.
With its 100,000 members, CyberGRX has automated and standardised the time-intensive manual process of assessing third-parties and has now made it their mission to reach every CISO in New Zealand.
"Their goal is to help them reduce their cyber-risk, and part of that is choosing to work with local partners, like Advantage, whose goal is to understand the local market better than anyone," Smith said.
Those partners needed to bring a level of governance, risk, and compliance skill to the conversation.
“We are very deliberate about the partners we choose to work with," said said Anthony Panuccio, director at CyberGRX.
"Telstra Ventures introduced us to Advantage, and they certainly have the reputation and credibility in market to help us achieve our mission to reduce supply chain risk in the market.”
According to Marcus Bartram, general partner at Telstra Ventures, another pressure for security teams is mobile.
“For most of us, using your mobile for work and connectivity is instinctual. But is it secure? Or, more realistically - is mobile even part of your company’s cyber defence strategy?" he asked.
Another Telstra Ventures’ portfolio company, Zimperium, had created what it said was the world’s first machine learning-based security engine for mobile, allowing remote workers to access sensitive data and mission-critical systems securely.
Bartram said Telstra Ventures had seen an uptick in the number of its US-based portfolio companies looking to the Asia Pacific region.
“AttackIQ, another portfolio company that just announced $44 Million in Series C funding, is also expanding their reach in a bid to reduce the pressure on security professionals and help them prepare for cyber-attacks," he said.
AttackIQ helps organisations continuously validate the effectiveness of their security controls at scale, verifying that cyber defences work as expected.
