VENDORiQ: Beware Doppelgänger Vendors: Australian Cyber Security Centre Encourages Authenticity of IT Purchases

The Australian Cyber Security Centre (ACSC) requests IT buyers to review the authenticity and integrity of their purchases. IBRS looks into the relevance of such guidance.

The Latest

18 October 2022: The Australian Cyber Security Centre (ACSC) has inserted a guidance on its information security manual (ISM) that asks IT buyers to assess the integrity and authenticity of IT purchases following the counterfeit networking equipment acquisition by U.S. agencies. In July, a Miami-based CEO was also arrested for importing US$1 billion of fake Cisco equipment from China and then reselling it online.

Why it’s Important

Counterfeit hardware and equipment are often perfect doppelgängers: mistaken to be authentic products that not only replicate products, but also the boxes, labels and manuals that come with each package. The biggest problem with such bogus equipment is, once installed, it may be used by highly organised cyber-criminal groups to circumvent security solutions in enterprises. As a result, the use of doppelgänger hardware can cause serious financial and operational risks.

One of the most effective ways to avoid doppelgänger hardware is through procurement.

Organisations are often lured to purchase counterfeit hardware because of the cheaper price point, or the huge discounts offered. In these cases, consider that any discounts may be paving the way for malevolent intentions. Procurement teams should independently scrutinise suppliers authenticity, taking into account time in market, support services, client histories, and so on. A simple start to such validation is an ASIC report on the supplier, which can often reveal a host of red flags.

It is worth noting that this consideration is not limited to hardware, but also to services. In the last year, IBRS attempted to authenticate a consultancy that was about to win a significant program of work for a client, only to find the ‘consultancy’ had been established just months earlier, had no office, no staff and a ‘director’ that, upon further investigation, was contracted as a network administrator in another company.

It should be noted that just because a vendor is new to the Australian market, does not mean they should not be considered. Rather, a first line of defence against doppelgängers is to match their claims against their history. 

Who’s Impacted

  • CEO
  • Procurement teams
  • IT teams

What’s Next?

  • Review support contracts and vendor reputation before engaging in transactions. Often, vendors that sell counterfeit products do not carry support contracts and cannot present a verifiable client history.
  • Establish relevant teams of experts or engage third parties who can test and advise areas for improvement in order to reduce the likelihood and impact of fraud and cybercrime.

Related IBRS Advisory

1. The difference between fraud and cybercrime
2. VENDORiQ: ICAC Reveals New Corruption Scandal

Trouble viewing this article?

Search