Research conducted by the Ponemon Institute has revealed that more than half of all data breaches are the result of a third party. They have also shown that over 50% of all organizations are not even attempting to evaluate the information security practices of these vendors before giving them access to confidential data or secure systems. Furthermore, third-party breaches are estimated to cost more than double what a standard data breach would cost. Cyber attacks continue to increase in frequency, and they have become the preferred medium for fraud in the current era. The Russian invasion of Ukraine in March of 2022 has triggered a marked increase in cyber attacks on third parties above and beyond this already increasing trend.
Ransomware attacks can target critical systems causing operations to grind to a halt, or your supply chain could be threatened by a key vendor’s failure to secure their systems against known cyber risks. There is no doubt that we will see data breaches occur on an increasingly frequent basis, and if you intend to keep your sensitive information secure, then it is important to understand the security risks that your company is facing.
Notable Data Breaches
As a call center servicing company, Voicecenter was home to a wealth of information about thousands of companies that it worked with. When the hacker group Deus launched a ransomware attack against their systems, they demanded $1.5 million dollars to restore access and prevent the release of the data they had obtained. While rumors of non-financial motivations for the attack exist, it is prudent to remember that even if your organization does not lose complete access to critical systems any data lost can be sold and resold through illicit marketplaces providing a secondary income stream for cybercriminals.
Cancer Centers of Southwest Oklahoma
As the cloud-based storage provider for the Cancer Centers of Southwest Oklahoma, Elekta was responsible for storing the protected health information of 8,000 cancer patients. While they were able to detect the suspicious activity on their own system, this did not prevent the loss of treatment information, Social Security numbers, names, addresses, and other personally identifying information for these individuals.
If nothing else, the Elekta breach should serve as a reminder that any industry is a potential target for cybercriminals. The healthcare industry in particular is in possession of PHI in addition to PII, and they need to be even more conscious of the security posture of their vendors with access to or storage responsibilities for that data. These are some of the reasons that data breaches in the healthcare field increased upwards of 55% in 2020 alone.
Do you consider the creator of a password manager application in use by some or all of your employees to be a third-party vendor? You should, and even if your own employees aren’t using the app, your third-party vendors’ employees may be. Attackers secreted malware in a software update of Click Studio’s Passwordstate app and collected the login credentials of IT and security personnel at nearly 30,000 organizations.
Recognizing who your third through Nth party vendors are and the specific risks that they present is the very first block needed to construct an effective risk management process. It’s impossible to evaluate and continuously monitor your vendors if you fail to identify who they are, even more so with a high-risk vendor like this.
While direct financial motivation is not always the underlying cause for a cyberattack, the hackers responsible for the Accellion breach in 2021 were in pursuit of financial gain, and they were extremely successful. Accellion FTA is widely used to move files within a network. These may be large files or those of a particularly sensitive nature, but Accellion FTA is in use by a wide range of organizations across numerous industries. Attackers exploited vulnerabilities within Accellion FTA and obtained PII and banking information from a multitude of victims like Kroger, the University of Colorado, the Reserve Bank of New Zealand, and even Washington State. The damage didn’t end there for Accellion either; they are facing an increasing number of civil lawsuits in more than one state.
This case highlights in particular why cyber-attacks on 3rd party vendors are so lucrative. With one success, attackers were able to victimize many organizations from multiple industries and across several nations. At this point in time, it is believed that not all victims in this matter have been identified.
Anatomy of a Simple Cyber Attack
Social engineering is the least technologically advanced method of perpetrating a data breach, and there’s a reason that it is so successful. Aside from the lack of training provided to employees in this realm, social engineering is simply exploiting natural human tendencies with the end goal of obtaining valuable information. This can be through phishing, smishing, whaling, or any other number of techniques, and it can provide the attacker with enough information to brute force passwords or even have entire sets of login credentials handed right over.
Once a vendor is compromised in this manner, the attacker can then access the vendor-facing systems of an organization. There may be useful or actionable information right there, or the attacker may need to exploit additional vulnerabilities to gain further access to the victim’s systems. Either way, once a cyber attacker has entered the system with a valid set of credentials, many of the defenses have already been at least partly compromised. Firewalls have been passed, access to a “trusted” individual has been granted, and there is now a fox in the henhouse.
Better Securing Your Systems
So how can we prevent this or at least limit the damage? Here are a handful of tips that will help to harden your security posture:
- Program firewalls to watch for both inbound and abnormal outbound traffic
- Partition payment data from your vendor interface
- Even payment processing vendors should only be provided with the minimum data necessary
- Ensure your vendors are complying with periodic security training for all of their personnel
Cyber security and risk management, in general, are time-intensive processes. Implementing some of these time management tips for vendor risk managers can further assist you with best protecting your company’s interests while leveraging the limited number of hours in your day.
Responding to a Breach
Once a breach has occurred, the most important step is to activate your incident response plan. Hopefully, you have a thoroughly laid out and documented process in place for this task as this will guide you through your response in its entirety. Collecting and preserving evidence, making notifications to respective authorities, stakeholders, and victims, and analyzing the cause of the breach are all additional components of a properly designed incident response plan.
Nation-State Actors and the Software Supply Chain
We touched above on additional motivations for cyberattacks beyond financial gain. Attacks by government-backed hackers or national security agencies themselves are also on the rise, and a large number of these attacks are focused on the software supply chain. The SolarWinds attack alone is estimated to cost cyber insurance companies $90 million, and that is only because of the high number of government entity victims who are typically self-insured.
The software supply chain is such a high-value target because it assists in spreading the malware through the supply chain’s inherent distribution properties. This can lead to a spread of the attack beyond what was even anticipated by the bad actors in the first place. Supply chain attacks are also some of the most difficult to detect, and that is substantial since routine data breaches can take an average of 96 days to detect and over 200 days to resolve according to more Ponemon Institute research.
Leveraging Subject Matter Experts
Your risk management team can’t possibly be experts in every facet of risk that your organization is exposed to. The field of cyber security alone is complicated enough to warrant multiple employees working exclusively on mitigating vendor cyber risk. Venture Lynk offers a plethora of vendor risk management services which include the expertise of military intelligence and cyber security experts. These subject matter experts can conduct vendor onboarding, risk assessment, continuous monitoring, and development of effective risk management procedures leaving your employees to focus on their own areas of strength.