- A recent survey by Ponemon Institute shows that 56 per cent of organizations have had a breach that was caused by one of their suppliers.
- The survey also indicates that the average number of third parties with access to sensitive information at each organization has increased from 378 to 471.
In order to heighten surveillance and protection of critical networks and infrastructure, the government and local technology firms will now take up cyber insurance.
Supply chain attacks are the latest tool in a vast arsenal being employed in cybercrime as they target suppliers.
They look for the weakest links in a supply chain like small vendors with no cybersecurity controls or open-source components with a small community or lax security measures.
They then compromise one organization and then move up the supply chain, taking advantage of these trusted relationships to gain access to other organizations’ environments.
They do this by adding backdoors to legitimate and certified software or compromising systems used by third-party providers.
These attacks are difficult to detect with elementary defenses.
Kenya loses about $295 million (Sh33.5 billion) to cybercriminals every year, an amount that has been increasing steadily, experts say.
“Taking up cyber insurance policies, carrying out deep assessments and signing strict compliance agreements are some of the expected steps to be taken to raise protection,” said Kipruto Ronoh, ICT Authority acting director.
A recent survey by Ponemon Institute shows that 56 per cent of organizations have had a breach that was caused by one of their suppliers.
The survey also indicates that the average number of third parties with access to sensitive information at each organization has increased from 378 to 471.
Only 35 per cent of companies had a complete list of all the third-party companies they were sharing sensitive information with and 18 percent of companies knew if those vendors were, in turn, sharing that information with other suppliers.
According to the Communications Authority of Kenya, there were 35.1 million cybersecurity incidents detected in 2020, an increase of 152.9 per cent as compared to the previous similar period.
This increased to 38.8 million in 2021 as the authority attributed it to working remotely and increased uptake of e-commerce in response to the Covid-19 pandemic.
Many organizations were forced to work remotely and adopt cloud usage when they might not have been fully ready to make the move.
As a result, security teams that are often understaffed due to the cybersecurity skills gap are overwhelmed and unable to keep up.
Ronoh said that supply chain threats were increasing and becoming more severe and sophisticated.
“Even as we expand and intensify our coordinated law enforcement efforts on data security, our analyses of past incidents show that the threat actors are becoming more malicious and their attacks more severe,” said Ronoh.
He added that the government had identified the focus as third-party suppliers, especially online services as key attack targets.
Wycliffe Mabwa, vice director of Assurance and Managed Services at Huawei Kenya recommended a thorough assessment of critical suppliers by understanding every component and material they use.
“This means maintaining an active interest in the cybersecurity apparatus implemented by your suppliers across the board,” Mabwa said.