Corporations ramp up requirement for small, medium-sized software companies, says US tech expert Kris Lovejoy
Life is about to get a whole lot harder for smaller software businesses, says one of the world’s largest IT infrastructure services.
Australian software companies will come under intense scrutiny from partners and clients as larger corporations crack down on poor cybersecurity behaviour and out-of-date practices.
It’s likely to create a harsher environment for smaller players, already under scrutiny after a spate of high-profile cyber incursions in which attackers entered databases through smaller businesses.
That’s the view of US tech expert Kris Lovejoy, the global cybersecurity leader from one of the largest IT infrastructure services in the world, Kyndryl.
Ms Lovejoy said small and medium-sized software-as-a-service (SaaS) businesses should be preparing for life to become more difficult as larger organisations increase not only their expectations when working with smaller vendors but their requirements for them to operate on the same platforms.
“It is going to become much harder, particularly if you’re selling to any entity that is considered critical infrastructure or government,” she said.
The new industry standard, which is already playing out across the US, arrives after the significant breaches of US file transfer services MOVEit and GoAnywhere.
Those breaches collectively resulted in about 2750 global companies becoming compromised, including Medibank, EY, PricewaterhouseCoopers, the US Department of Energy and the US Defence and Security Department.
Ms Lovejoy said the current state of cyber security was the harshest she had seen throughout her 25-year career. “It is perhaps one of the most complex and single riskiest environments in which I’ve worked,” she told The Australian.
The Covid-19 pandemic had upset to the world’s digital environment, as the rush to transition to digital opened up major loopholes and so-called backdoors, Ms Lovejoy said.
“The post-Covid recognition is that the rapid digital transformation was largely uncontrolled,” she said.
“What we recognised coming out of Covid is that threat actors are focused on smaller providers and integrating malicious code or backdoors into the technologies that these smaller providers have built.”
Kyndryl analysts found that about 36 per cent of the inventory the company manages on behalf of customers “could be considered end of service”, Ms Lovejoy said.
“We have a hoarding problem in the IT space right now. Companies buy but they don’t ever throw out and over time that complexity increases risks, and it increases the number of things that you have to acquire,” she said.
“Legacy technology is a significant issue to most critical infrastructure industries.”
The alarming warnings aren’t all bad news. Ms Lovejoy was confident that some forward-thinking companies would extend a hand to valued partners, providing resources to ramp up their current security practice.
However, some smaller players would fall into the trap of changing their product or systems to meet the requirements of one company only to find new settings did not work or integrate well with others, especially when it required the use of specific tools or the IP of larger corporations.
There was also significant growth in the area of cyber monitoring, and some companies were paying for operators to watch over the systems for irregularities.
This shift was a reflection of the industry’s “new reality” whereby the threat landscape had grown so large it was almost impossible to be completely protected, she said.
Ms Lovejoy said companies needed to think of their systems as “biological entities”.
“That biological entity can be infected with bacteria, with viruses that are dormant. You may run tests and you may find bad stuff but guess what? In a lot of instances the code which was built and deployed by the malicious actor has never been seen before so therefore there is no diagnostic to find it,” she said.
“So money is being moved away from protection and companies are saying ‘we’re going to focus on monitoring and preparing to cover’.”
More Coverage
WiseTech shares halted pending White review
WiseTech shares have plunged into a trading halt ahead of an update on a review involving its founder and former CEO Richard White after new complaints surfaced about his behaviour.
Telstra defends price hikes amid $800m upgrade
Australia’s biggest telco has defended price hikes as it spends $800m upgrading its network to power the AI boom and rewards shareholders with a hefty dividend increase.