Who is Accountable for Supply Chain Risk? Fallout from the Kaseya Breach
Published On July 7, 2021
Blog Post by Rob Taylor, Vice President of Solution Delivery at CORL Technologies
Another gargantuan cyber-attack on the global supply chain took place over the holiday weekend which saw over 1,500 businesses infected with ransomware. The attackers exploited a vulnerability in the third-party software for Kaseya, which provides back-office IT solutions and managed services for small and mid-sized businesses.
The breach comes on the heels of other massive supply chain attacks against SolarWinds, Microsoft, and other major third-party vendors. You can read more about the latest cyber-attacks on the supply chain in our related blog post: Healthcare Takes It on the Chin with Supply Chain Breaches.
Kaseya CEO Fred Voccola has been relatively tight lipped about the attack in the early days of the incident. However, in a report from the Associated Press, Voccola said that “he was confident that when an investigation by the cybersecurity firm is complete, it would show that not just Kaseya but third-party software were breached by the attackers.”
This seems to imply that Kaseya may already be laying the groundwork to blame the breach on another firm, or fourth-party vendor in this case. This brings critical questions to the forefront for our industry: who is accountable for supply chain breaches and who owns the risk? We will examine those questions in this blog post, but first let’s take a look at this specific incident in some more detail.
What Happened in the Kaseya Supply Chain Attack?
This latest cyber-attack came just as a long Fourth of July weekend kicked off, which was no accident as it provided attackers with a long weekend to attack while protection mechanisms were limited in the US due to the holiday break.
The attack leveraged a zero-day vulnerability that compromised Kaseya's VSA remote access software used to remotely maintain customer systems. As of the time of the writing of this blog, a patch to fix the security gap has been developed and is undergoing testing before its release to the public.
The organizations hit hardest included entire supermarket chains in Sweden and schools and kindergartens in New Zealand. Among the over 1,500 organizations infected with ransomware from this attack include public agencies, financial services, travel and leisure, public sector and many other organizations.
The attackers have been identified as the Russian-based REvil cyber-criminal gang, which is best known for extorting $11 million from the meat processor, JBS, last month. They are demanding $70 million in payment, but say they are open to negotiations.
President Joe Biden said Saturday that he ordered a “deep dive” by U.S. intelligence into the attack and that the U.S. would respond if it determines the Kremlin is involved. This comes very soon after President Biden and Putin had a summit wherein Biden gave Putin a “no hack” list of critical infrastructure to avoid attacking. The organizations targeted in the Kaseya attack are generally not considered critical infrastructure.
Who is Accountable for Supply Chain Attacks?
Securing the supply chain is a shared responsibility that requires accountability and coordination across multiple organizations including businesses, third- and fourth-party vendors, regulators, and others. Here is our take on the relative accountability, in priority order from most accountable to least accountable entities:
1. The Business | The business whose systems and information were breached ultimately must live with the repercussions of the incident including business disruption, financial impacts, reputational damage, loss of customer trust, and more. The buck stops with the business. Finger pointing and blame do very little to mitigate the material impacts to the business following an attack like the Kaseya event. Customers are also most likely to hold the brand of the business accountable for breaches rather than take the time to understand the nuances of a complicated supply chain sourced breach event.
Executives must invest in robust security and compliance programs that go above and beyond minimal regulatory obligations and actively manage cyber risks for the enterprise. This includes hiring information security leadership and teams, compliance teams, and routinely assessing validating the effectiveness of cyber risk programs. Such investments must also include third-party supply chain risk programs that scale to evaluate and manage risk across the full vendor portfolio.
2. Third-Party Vendors (a.k.a Supply Chain Vendors) | Third-party organizations have an obligation to safeguard the products and services they deliver to the marketplace. If you have established a B2B business that services multiple businesses that depend upon your services or products to operate, then you inherently have assumed the responsibility to understand and manage cyber risks on their behalf.
Supply chain vendors must proactively build cyber and risk management programs and validate their effectiveness on a routine basis via assessments, security certifications, penetration tests, and other security control implementations. An erosion of trust on cyber risk can ultimately lead to an erosion of trust with your business overall in the market.
3. Government Entities | Governments have an obligation to intervene in cases where state-sponsored or supported attacks attack critical infrastructure that may impact national security or the stability of major economic markets. Such intervention may include diplomatic pressure, sanctions, and even counter attacks in the event that attacks remain unchecked over time.
Governments also have a powerful lever at their disposal in the form of regulations. Regulatory requirements and related enforcement can go a long way to inducing proactive and preventative security control measures by organizations to secure their systems and those of their third-party suppliers. There are a flurry of regulations being cooked up to address supply chain risk; you can learn more about these in our related blog post: Regs on the Radar: Emerging Supply Chain Regulations & Standards.
4. Standards Bodies | Organizations that provide standards and guidance for the industry to effectively manage supply chain risks play an important role in getting everyone on the same page and driving implementation of leading practices. Organizations like the National Institute of Standards and Technology (NIST), the HITRUST Alliance, US Cyber Security and Infrastructure Security Agency (CISA), and others have updated their frameworks and guidance to include supply chain risk management.
5. Customers | It may sound like a bold claim, but customers are becoming increasingly aware of cyber risks and will apply purchasing pressures on businesses to safeguard their information. Business that cannot consistently maintain operations or safeguard information are likely to see their customers pursue alternative options from competing organizations.
CORL’s Managed Services & Next Generation Exchange of Vendor Risk Data
In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides with access to assessment results of over 79,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.
CORL’s tech-enabled managed services and next generation exchange of vendor risk data allows healthcare entities to:
- Prioritize vendors for assessment and remediation
- Make informed supply chain risk decisions
- Scale vendor risk programs
- Report on vendor risk across the entire vendor portfolio
- Drive and track remediation
- Validate controls and gain assurance
- Track KPI, KRI, and SLA metrics on program performance
- Identify trends in vendor types to anticipate breaches
- Save time, money, and resources
- Accelerate assessment turnaround times
Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.