DBS Bank and Bank of China's Singapore branch disclosed this week that some customer information was potentially compromised after a ransomware attack on their printing vendor, Toppan Next Tech (TNT).
The exposed data includes customer names, addresses, details of DBS Vickers equities and cashline loans, and some BOC loan account numbers. DBS assured that its core IT systems were unaffected and customer deposits remain secure.
Investigations are still ongoing but this incident serves as a reminder to all organisations to scrutinise their vendors and other third-party business partners closely.
“A contracting company often lacks the visibility and control required to ensure an effective cybersecurity posture in place. While there may be contractual obligations, and possibly annual audits, these do not provide operational real-time monitoring of the security practices in place,” says Tony Anscombe, chief security evangelist at ESET.
William Oh, SVP, head of Asia Pacific, BlueVoyant, adds: “This data breach incident is only one addition to a growing list of significant cyberattacks in the region in recent years that likely originated from a third-party vendor. Organisations are often attacked through their wider digital networks, with more suppliers, service providers, and partners having more access to sensitive data now than ever before.”
Despite the worrying risk, over a third (35%) of Singapore organisations say they have no way of knowing when a cybersecurity incident occurs within their supply chain and rely on self-reporting, according to BlueVoyant’s study. In addition, the sheer size of the organisation’s supply chains is exacerbating the lack of visibility and control.
"To safeguard against supply chain cyberattacks, organisations must enforce Zero Trust security, compelling vendors to adopt least privilege access and secure communication, says Sheena Chin, Rubrik's Asean Managing Director.
She continues: “Ultimately, protecting the supply chain demands a holistic approach that combines regulatory compliance with advanced cybersecurity practices. By fortifying data security guardrails across all parties involved, banks can safeguard their reputation, maintain customer trust, and ensure business continuity in the face of increasingly sophisticated cyberattacks.”
Meanwhile, Oh recommends that organisations incorporate the following strategies to better tackle supply chain cyber security risks:
See also: A call to go beyond the humble backup
- Initiate a proactive visibility programme at all levels of the organisation, including cross-departmental and senior stakeholder briefings, reporting, and collaboration.
- Prioritise effective third-party cyber security risk management and collaboration to reduce breach risk.
- Implement structured incentives and penalties for third parties to encourage compliance amongst those that fail to demonstrate sufficient hygiene, response, and remediation measures.
- Monitor and evaluate all suppliers on a continuous basis.
- Introduce tiered monitoring — from simple questionnaires to advanced continuous monitoring — offset against costs and aligned with vendor criticality. This will help to alleviate resource, technology and expertise challenges.
- Ensure third-party cyber security risk management isn’t siloed in IT or elsewhere.
- Work closely with their third parties to close the remediation loop.
- Triage and track all issues through every step to full remediation.
To further reduce the risk of cyberattacks, companies should prioritise continuous monitoring of their networks and vendors, implement robust access controls, and ensure the widespread adoption of cyber hygiene measures such as multi-factor authentication.
