‘Soft vector’ supply chain attacks and the rising risk of AI

21 Apr 2023

Veneto Privacy Services MD Julian Hayes. Image: Julian Hayes

Julian Hayes of Veneto Privacy Services discusses the impacts cyberattacks can have on SMEs, the importance of reviewing supplier security and how AI has been used in phishing scams.

Click here to view the full Cybersecurity Week series.

The realities of cybersecurity and data protection have changed dramatically in recent years, with threats, regulations and security systems in a constant state of flux.

The number of attacks remains high, with a survey in February suggesting that more than 40pc of Irish organisations have experienced a cyberattack in the past. Meanwhile, there are reports of new, advanced forms of malware and AI systems being used by cyberattackers.

The changing landscape is one that Julian Hayes is all too familiar with, having roughly 18 years of experience in data protection work, “when apps were really only getting started”.

For the past six years, Hayes has been the managing director of Veneto Privacy Services, providing cybersecurity and data protection consultancy for both large and small businesses.

“I’m really about practical implementation of cybersecurity and data protection, rather than just kind of paper compliance,” Hayes said.

The impacts for large and small businesses

Hayes told SiliconRepublic.com that there are different risks for businesses depending on their size and how public their activities are.

Cyberattacks or data breaches on larger companies can have a wider impact if they’re not taking a “proactive stance” on cybersecurity and data protection.

Hayes also said many businesses appear to put cybersecurity as their primary focus rather than data privacy.

“A lot of the traction with GDPR is lost,” Hayes said. “The forefront of people’s minds is now cyber, not data privacy.”

For SMEs, Hayes said the impact of a cyberattack can be “huge”, with examples of these attacks completely disrupting smaller businesses.

In one example, Hayes said a client suffered an “invoicing fraud attack”, where the company was paying out invoices which amounted to hundreds of thousands of dollars, which went undetected. This was due to having no cybersecurity measures around the businesses’ emails.

“So their whole email address book was compromised and there was somebody basically impersonating people in the payments team,” Hayes said. “People think, well, business is operating as normal, everything’s fine. But if you don’t look under the hood, then you won’t even know if you have an issue.”

In the Irish landscape, Hayes said larger enterprises appear to be “well-armed” in terms of their security protections, while SMEs are generally “quite poor” with their protections.

“They’re basically operating on the hope that we won’t be subject to an attack,” Hayes said. “I think we are small in scale, as a country, so perhaps we’re not on the radar for some of the larger attacks. But that may change over time.”

Earlier this week, cybersecurity expert Colm Murphy said cybercriminals view SMEs as “an easy target because they often have fewer resources and less sophisticated cybersecurity measures”.

Choosing the right third-party clients

In recent years, supply chain attacks have been shown to be a significant threat, with attackers using stolen data to fuel later cyberattacks into different businesses.

Last year, Zoom’s head of security assurance Sandra McLeod described supply chain attacks as one of the “biggest challenges” being faced in the IT landscape.

There have been various examples of hacking campaigns targeting organisations with the assistance of stolen security credentials and impersonation tactics.

Last year, one phishing campaign compromised more than 130 organisations by obtaining Okta identity credentials and two-factor authentication codes from users, before mimicking the Okta authentication pages of these organisations.

Hayes describes third parties that organisations use as the “soft vector” for a cyberattack, as even if a company has a strong security programme, the vehicle of attack can be a supplier or “a sub-supplier of that supplier”.

To better mitigate the risk of third-party attacks, Hayes said companies should adopt a “comprehensive security assessment” when onboarding new vendors.

“So not just doing a questionnaire with the provider, but having audit right provisions within your agreements with them to be able to check and perform some sort of assurance checks that they are actually meeting their obligations,” Hayes said.

The rising threat of AI

As organisations work to beef up their cybersecurity and data protection, criminals are also racing to improve their arsenal with dangerous forms of malware.

A recently discovered ransomware – dubbed Rorschach – is said to exhibit unique, customisable features, along with one of the fastest encryption speeds yet.

Another concern is AI, with predictions that these advanced systems will be a potential gamechanger for both defenders and attackers in the cybersecurity landscape.

Hayes said the developments in AI are “huge” and that one of his clients had recently experienced a “very sophisticated, targeted phishing attack” that utilised AI and deepfake technology.

The attacker used video generated content that appeared to show the company’s CEO on a Zoom call, but the video was actually a “total deepfake”.

Regardless of the use of AI, Hayes highlighted how easy it is for cyberattackers to send out massive batches of scam emails and how the potential return far outweighs the cost.

“If you do 50m emails and your score rate is 0.05pc for a successful ransomware or malware installation, then it has done its job, the cost of sale is minimal,” Hayes said.

“That’s the thing, people don’t think about how repeatable these activities are. A small margin of uptake but that’s fine, that’s all you need. You could be €10m to €15m in the bank.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic