3rd Party Risk Management , Governance & Risk Management , Leadership & Executive Communication
Why Third Parties are the Source of So Many HacksThe State of Third-Party Security Needs to be Addressed
Most organizations see third-party security as a threat, but not a priority. This misconception leads to inadequate security protocols, misaligned budgets and resources, vulnerabilities in network/systems/supply chain management, and weaker attack surfaces—which is why there’s a crisis in the state of third-party security that desperately needs to be addressed. We can look to two recent examples of data breaches to see why heightened access management of critical resources is crucial to protecting your organization from a breach.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Kaseya, which is a technology software provider for IT outsourcing companies or managed service providers (MSPs), was hacked by Russia-linked cybercriminal group REvil. This is one of the largest ransomware attacks to date, and hackers demanded $70 million in cryptocurrency.
Ask yourself, “If this asset is compromised or stolen, is it a big deal? Are people able to still do their jobs if something happens to it?”
Vulnerabilities were found in Kaseya’s authentication methods. As a result, REvil was able to insert malicious code into Kaseya’s vendor security alliance (VSA) software.
Kaseya, acting here as the third party, sent infected software updates to several dozen of their customers. The attack not only endangered the Kaseya organization, but put the managed service providers (MSPs) in their supply chain in jeopardy.
Accellion, an organization that provides businesses with file sharing technology, experienced a ransomware attack that hit its file transfer application (TFA).
Accellion is a third-party file sharing vendor for hundreds of organizations. Its TFA was targeted and attacked by hackers who threatened to exploit sensitive and private data in order to receive a ransom payment.
Several Accellion customers faced the ransom threat, including notable organizations like Morgan Stanley, Kroger, Jones Day, Trinity Health, and Flagstar Bank. The hackers stole data that included customer addresses and social security numbers. And months after the incident, several organizations are still recovering from the attack.
How Critical Access Management Can HelpIn both of these examples, it’s not just a matter of businesses placing their trust in the wrong third party; it’s a matter of poor access management. Kaseya and Accellion are both reputable organizations, but reputation will only get you so far. Reputation doesn’t build a secure framework that will protect your business’ critical assets. Only critical access management can do that.
Critical access management is the art of securing access points and assets that are critical to a company’s success. High risk access points and assets, such as the sensitive information threatened or stolen in both of these examples, need security measures that include the goverance, control and monitoring of all access, such as:
- Implementing access policies that keep third-party access restricted
- Using Zero Trust Network Access so any third party breach is contained and doesn’t infect the other systems in a business’ infrastructure
- Establishing monitoring procedures so when third parties are attacked, you can reactively investigate the situation to determine how much damage was done and trace back to the source of the attack
Protecting your critical access points and assets should be the number one priority in your cybersecurity strategy. Ask yourself, “If this asset is compromised or stolen, is it a big deal? Are people able to still do their jobs if something happens to it?” For the customers of Kaseya and Accellion, stolen private information is indeed a big deal, and several companies had to halt operations because of the third-party attacks. So maybe it’s time to ask yourself those questions and re-evaluate the way your business handles third parties before it’s too late.