This past Friday, July 2nd, as American’s began their Fourth of July celebrations, another large-scale supply-chain cyberattack has reared its ugly head.
A supply-chain cyberattack occurs when a vendor or Managed Service Provider (MSP) is attacked and the attack disrupts the operations of the customer. According to BleepingComputer, the REvil ransomware gang out of Russia has attacked MSPs with thousands of customers through a malicious auto-update that exploited a previously unknown vulnerability in Kaseya’s VSA IT Management Software. Leaving both the providers and their customers data encrypted. The ransomware gang is now demanding $70 million US dollars in the form of bitcoin for a universal decryption key for all of those effected.
While there is no way to completely prevent an attack such as this from happening, there are steps that organizations can take to reduce the risk of a supply-chain cyberattack affecting them.
1. Generate a vendor inventory list
To adequately address supply-chain risks, an organization must first create a vendor inventory list. Any third-party vendor, software supplier, MSP, especially those with connectivity to the organization, must be identified. After, the vendors have been identified, organizations can conduct research on the vendor to see if they have a history of security related incidents. If a vendor regularly has security issues, then an organization may want to do business elsewhere.
2. Assess organization vendors and MSPs risks
Organizations rely heavily on commercial software and MSPs to run their daily operations. It is imperative that organizations become familiar with the security posture of their vendors and MSPs because they are a critical link in the supply-chain. If a vendor or MSP is does not practice good cybersecurity and their operations are disrupted, then a customer’s daily operations could also be hindered.
Begin accessing a vendor or MSP by asking them when their cybersecurity risk posture was last reviewed by a third party? Ask them, what security standards or guidelines do they implement within their organization? A vendor or MSP may not give you every detail for security reasons, but they should at least give you some details to reassure the organization that they take security seriously. If the vendor or MSP does not have good answers to these questions, then that vendor is not practicing good cybersecurity and that increases the organizations risk of a supply-chain cyberattack.
3. Get Insured
With the increase in the number of cyberattacks on small and medium sized organizations, many are getting Cyber Liability insurance to transfer some risk to an insurance company. While polices vary, cybersecurity insurance covers the legal and technological aspects of data breaches and cyberattacks. It covers first-party risks, which are the direct expenses the business incurs reacting to a cyberattack, including social engineering & ransomware. It also goes further and covers third-party cyber liability risks which can cover expenses for businesses responsible for clients' online security and data.
A cyber liability insurance policy can help protect your company in the event of a data breach in which sensitive customer information is exposed or stolen by cyber criminals. Cyber liability insurance covers a variety of expenses associated with a data breach or cybercrime, including:
· Notification costs
· Defense against claims by state regulators
· Fines and penalties
· Loss resulting from identity theft
· Liability arising from website media content
· Property exposures from business interruption, data loss or destruction, funds transfer loss, computer fraud, and cyber extortion
4. Implement Defense in Depth
Defense in Depth is a cybersecurity best practice that involves protecting a network environment under several layers of different security protocols. At each layer, one or more security defenses can be implemented to identify and stop a malicious attacker.
To specifically prevent a supply-chain cyberattack, it is very important that organizations defense in depth protocols include the security principle of “least privilege”. This security principle states that a user or application should be granted the minimum level of access needed to perform a task. This way, should a malicious user take over a legitimate user account or application, the malicious user cannot make significant or damaging changes to the system because they do not have administrative rights.
In Summary
While supply-chain cyberattacks are very difficult to prevent entirely, organizations can take steps to reduce the risk of them negatively affecting their daily operations. For more information about supply-chain cyberattacks, check out the National Institute of Technology and Standards (NIST) Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations. NIST is a great resource for many cybersecurity related matters. You can also schedule a free consultation with Hire A Cyber Pro, for information on cybersecuirty risks such as this and much more. Go to https://www.hireacyberpro.com/ to learn more. Or email your questions to contact@hireacyberpro.com. Be sure to check out and follow my LinkedIn page! https://www.linkedin.com/company/hire-a-cyber-pro.
