In commerce, the supply chain refers to the network of organisations, people, activities, information and resources involved in delivering a product or service to a consumer. Supply chain risk is not to be ignored, as seen in the data breach faced by National South African financial services institutions and Debt-IN* in 2021.
Supply chain risk is the potential for any external organisation to naturally communicate with and have access to internal staff and/or systems for the purpose of seamless business and service transactions. This is to provide additional points of entry/oversight that attackers could utilise to gain access to their preferred target if the supplier is compromised.
In a situation like this, the first-party data collector is held liable as they are the entity that has been entrusted with the collection and management of consumer data. The data must be stored securely, as per POPIA, and access to the data needs to be handled in the most secure method possible. This is to limit who has access to the data and ensuring that it is only used for intended purposes, as agreed upon through consent from the data owner (consumer) and supply chains included.
Identity and Access Management (IAM) to data is integral to ensuring that trusted entities are accessing the data and using it for its intended purposes. The supplier should also be held accountable and ensure that they have implemented a reasonable level of security and training within their own organisation to ensure safe and secure interactions between the two (or more) entities.
*Debt-IN, a debt recovery solutions partner to many South African financial services institutions, was hit by a ransomware attack resulting in a significant data breach of consumer and employee personal information. FNB, Absa, Standard Bank and African Bank are some of the financial institutions that make use of Debt-IN’s services, and have confirmed the impact of the cyber attack on their businesses.
The lifecycle of supply chain attacks can be divided into two Advanced Persistence Threat (APT) attacks. The first one targets one or more suppliers. Once the malware enters through the back door, the second attack will target the customers’ assets. This type of cyberattack is more difficult to detect because the customers already trust the suppliers. Source: ENISA