In the era of digital transformation, every innovation simultaneously propels business growth and widens the playground for hackers. While email, social media, and document-sharing platforms are integral for business, similar tools used by developers, like version control systems, dependency management tools, and developer experience platforms also invite vulnerabilities.
This week, the LinkedIn profile of a venture capitalist I know was hacked, used to circulate a link to a 'business opportunity', eventually requesting credentials for 'confidential documents'. Nothing happened and the content has been reported and LinkedIn’s trust and Safety team has taken the appropriate actions, but this episode is a reminder of the growing sophistication and creativity of hackers.
Think you're immune to phishing? RSA, the cybersecurity titan, was breached through an Excel attachment years ago. Today, phishing is the second most common and the costliest cause of data breaches, as per IBM's 2022 report. If such basic attacks are still effective, what about more advanced ones? In 2018 a hacker injected malicious code into an open-source library to target Copay, a crypto wallet provider. This code was widely used before the breach was detected. Software supply chain has since become a primary attack vector, often unnoticed by leaders yet considered a serious threat by tech professionals. Cybersecurity governance is critical. But paradoxically, those who make our digital shoes often go barefoot - software development teams also need support to be kept up to date with the security risks tied to their tools and processes. Boards and C-level executives, on the other hand, should be asking their leaders hard questions about cybersecurity governance in their tools and processes. If you want to strengthen your tech team's cyber defenses and enhance cybersecurity governance, let’s talk. In the digital realm, knowledge isn't merely power, it is also our best defense.
Rodney Reis
References: CNET. (2018). Attack on RSA used zero-day Flash exploit in Excel. [online] Available at: https://www.cnet.com/news/privacy/attack-on-rsa-used-zero-day-flash-exploit-in-excel/ IBM (2022). Cost of a Data Breach Report 2022. [online] Available at: https://www.ibm.com/downloads/cas/3R8N1DZJ blog.npmjs.org. (2021). npm Blog Archive: Details about the event-stream incident. [online] Available at: https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident [Accessed 28 Jul. 2023 Capterra. (2023). Three in Five Businesses Affected by Software Supply Chain Attacks in Last 12 Months. [online] Available at: https://www.capterra.com/resources/software-supply-chain-attacks/ [Accessed 28 Jul. 2023] SLSA. (2023). Supply-chain Levels for Software Artifacts. [online] Available at: https://slsa.dev/ Avalia Systems. (2023). Avalia Systems I Get in Touch. [online] Available at: https://www.avalia.io/get-in-touch