BlogCybersecurity
Security questionnaire overload? Know your options.
5 Minute Read
Read Security questionnaire overload? Know your options.Cybersecurity
By Robert Taylor | July 7, 2021
Another gargantuan cyber-attack on the global supply chain took place over the holiday weekend which saw over 1,500 businesses infected with ransomware. The attackers exploited a vulnerability in the third-party software for Kaseya, which provides back-office IT solutions and managed services for small and mid-sized businesses.
The breach comes on the heels of other massive supply chain attacks against SolarWinds, Microsoft, and other major third-party vendors. You can read more about the latest cyber-attacks on the supply chain in our related blog post: Healthcare Takes It on the Chin with Supply Chain Breaches.
Kaseya CEO Fred Voccola has been relatively tight lipped about the attack in the early days of the incident. However, in a report from the Associated Press, Voccola said that “he was confident that when an investigation by the cybersecurity firm is complete, it would show that not just Kaseya but third-party software were breached by the attackers.”
This seems to imply that Kaseya may already be laying the groundwork to blame the breach on another firm, or fourth-party vendor in this case. This brings critical questions to the forefront for our industry: who is accountable for supply chain breaches and who owns the risk? We will examine those questions in this blog post, but first let’s take a look at this specific incident in some more detail.
This latest cyber-attack came just as a long Fourth of July weekend kicked off, which was no accident as it provided attackers with a long weekend to attack while protection mechanisms were limited in the US due to the holiday break.
The attack leveraged a zero-day vulnerability that compromised Kaseya’s VSA remote access software used to remotely maintain customer systems. As of the time of the writing of this blog, a patch to fix the security gap has been developed and is undergoing testing before its release to the public.
The organizations hit hardest included entire supermarket chains in Sweden and schools and kindergartens in New Zealand. Among the over 1,500 organizations infected with ransomware from this attack include public agencies, financial services, travel and leisure, public sector and many other organizations.
The attackers have been identified as the Russian-based REvil cyber-criminal gang, which is best known for extorting $11 million from the meat processor, JBS, last month. They are demanding $70 million in payment, but say they are open to negotiations.
President Joe Biden said Saturday that he ordered a “deep dive” by U.S. intelligence into the attack and that the U.S. would respond if it determines the Kremlin is involved. This comes very soon after President Biden and Putin had a summit wherein Biden gave Putin a “no hack” list of critical infrastructure to avoid attacking. The organizations targeted in the Kaseya attack are generally not considered critical infrastructure.
Securing the supply chain is a shared responsibility that requires accountability and coordination across multiple organizations including businesses, third- and fourth-party vendors, regulators, and others. Here is our take on the relative accountability, in priority order from most accountable to least accountable entities:
1. The Business | The business whose systems and information were breached ultimately must live with the repercussions of the incident including business disruption, financial impacts, reputational damage, loss of customer trust, and more. The buck stops with the business. Finger pointing and blame do very little to mitigate the material impacts to the business following an attack like the Kaseya event. Customers are also most likely to hold the brand of the business accountable for breaches rather than take the time to understand the nuances of a complicated supply chain sourced breach event.
Executives must invest in robust security and compliance programs that go above and beyond minimal regulatory obligations and actively manage cyber risks for the enterprise. This includes hiring information security leadership and teams, compliance teams, and routinely assessing validating the effectiveness of cyber risk programs. Such investments must also include third-party supply chain risk programs that scale to evaluate and manage risk across the full vendor portfolio.
2. Third-Party Vendors (a.k.a Supply Chain Vendors) | Third-party organizations have an obligation to safeguard the products and services they deliver to the marketplace. If you have established a B2B business that services multiple businesses that depend upon your services or products to operate, then you inherently have assumed the responsibility to understand and manage cyber risks on their behalf.
Supply chain vendors must proactively build cyber and risk management programs and validate their effectiveness on a routine basis via assessments, security certifications, penetration tests, and other security control implementations. An erosion of trust on cyber risk can ultimately lead to an erosion of trust with your business overall in the market.
3. Government Entities | Governments have an obligation to intervene in cases where state-sponsored or supported attacks attack critical infrastructure that may impact national security or the stability of major economic markets. Such intervention may include diplomatic pressure, sanctions, and even counter attacks in the event that attacks remain unchecked over time.
Governments also have a powerful lever at their disposal in the form of regulations. Regulatory requirements and related enforcement can go a long way to inducing proactive and preventative security control measures by organizations to secure their systems and those of their third-party suppliers. There are a flurry of regulations being cooked up to address supply chain risk; you can learn more about these in our related blog post: Regs on the Radar: Emerging Supply Chain Regulations & Standards.
4. Standards Bodies | Organizations that provide standards and guidance for the industry to effectively manage supply chain risks play an important role in getting everyone on the same page and driving implementation of leading practices. Organizations like the National Institute of Standards and Technology (NIST), the HITRUST Alliance, US Cyber Security and Infrastructure Security Agency (CISA), and others have updated their frameworks and guidance to include supply chain risk management.
5. Customers | It may sound like a bold claim, but customers are becoming increasingly aware of cyber risks and will apply purchasing pressures on businesses to safeguard their information. Business that cannot consistently maintain operations or safeguard information are likely to see their customers pursue alternative options from competing organizations.
In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides with access to assessment results of over 79,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.
CORL’s tech-enabled managed services and next generation exchange of vendor risk data allows healthcare entities to:
Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.
Robert Taylor
Vice President of Solution Delivery
As Vice President of Solution Delivery for CORL Technologies, Rob Taylor oversees Client Engagement, Project Management, Quality Service Delivery, Innovation, Audit and Analysis teams to ensure client service meets or exceeds expectations. Rob leverages his 20+ years’ experience in process improvement, project management and career development leadership to lead the company’s service delivery teams. Prior to CORL, Rob served as the Director of Operations for CORL Technologies’ sister firm, Meditology Services, the #1 Cybersecurity Advisory Services firm ranked in the 2019 and 2020 Best in KLAS Software and Services Report. In this role, Rob oversaw the work of operations, marketing, information technologies, security operations, human resources and training functions. Rob holds a Bachelor of Business Administration degree from the University of Tennessee.
Related Posts
BlogCybersecurity
By CORL Technologies | August 9, 2024
5 Minute Read
Read Security questionnaire overload? Know your options.BlogCybersecurity
By CORL Technologies | February 12, 2024
3 Minute Read
Read Do You Understand Your Vendors’ SOC 2 Reports?BlogCompliance
By CORL Technologies | November 14, 2022
5 Minute Read
Read CISA Cyber Performance Goals: Third-Party & Supply Chain RequirementsWebinars
WEBINAR AI + Healthcare: The Evolving Cybersecurity Equation The healthcare industry is undergoing a profound transformation, driven by the integration of artificial intelligence (AI) into various facets of healthcare delivery, diagnosis, and treatment. AI technology has the potential to revolutionize healthcare, improving care quality, reducing costs, enhancing efficiency, and even improving outcomes. However, with these […]