The MOVEit supply chain hack aftermath shows the impact of a cyber-breach after the head-lines have gone, writes AJ Thompson, pictured, CCO of the IT company Northdoor plc.
The recent high-profile hack of Progress Software and its solution, MOVEit, caught the headlines as major companies across the world became victims to yet another supply chain attack. The attack has been blamed on a Russian cybercriminal gang called Clop and some huge companies have been caught up in the attack including the BBC, British Airways, Aer Lingus, Boots, Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Conizant and AbbVie.
The MOVEit software was used by most of these companies to transfer payroll information which means that that data taken by the Russian hackers has the potential to impact millions of individuals and involve the most sensitive of data.
Effectiveness of supply chain attacks
It is another example of how ‘effective’ a supply chain attack can be for cybercriminals. One attack, on one company has the potential to give criminals access to hundreds of companies across the globe. It also means they can gain access to huge companies without having to navigate through the often-comprehensive front-line defences.
Indeed, supply-chain attacks will negate any front-line cybersecurity investment as the attack comes in through the ‘back-door’, via vulnerabilities in a partner’s defences. These attacks also mean that in one step cybercriminals are able to gain access to potentially thousands of companies through one attack.
The impact after the headlines
These types of attacks, especially when such large companies are involved, will always grab the headlines. These stories are high-profile and for a few days will engage the public and raise the awareness of cyberattacks.
However, once the headlines die down, and before another high-profile attack occurs, the story disappears and is often forgotten, along with consequences of the attack. However, it is important that the far-reaching effects of attacks are not forgotten.
For example, the company where the attack originated not only has to deal with the fact that they themselves have suffered a cyberattack, but as a result it impacted many of the customers, or the customers a partner. It also goes beyond this. The ongoing impact of a cyber-attack means that the reputation of the initial victim is damaged, sometimes, beyond repair.
The victim also suffers financial consequences with customers leaving and with its reputation damaged, its ability to find new customers is also impacted. Losing business and unable to at-tract new business is just one aspect of the financial consequences. This latest attack has shown that things can get much worse after the headlines have gone away.
It will also take time to ensure that the software is completely free of any malevolent bugs, and whilst out of action customers will be forced to turn to other solutions, potentially from competitors. Not only do victims have to deal with immediate economic impact of a hack, the regulatory consequences but also the fact that their solution is replaced with alternatives whilst it is being checked for bugs.
Legal implications
There are more regulations than ever surrounding the protection of data. If a company is found to have fallen below the standard set out by the various regulations, then they can be fined, sometimes huge amounts of money. This often means that they are back in the headlines, causing further damage, not just to their bank accounts, but to their reputation.
Aside, from regulatory pressures, as we have seen from this latest attack, companies who have been attacked are also now at an increasing risk of being sued by their former partners and their customers.
Progress Software, the makers of the MOVEit file and cloud transfer software that was hacked, is now being sued over its cybersecurity practices. In the last few weeks, in a pattern that is now regularly being seen in the aftermath of a large cyberattack, Progress is being hit with a class-action lawsuit from a number of individuals.
These are not the companies impacted by the hack, but the end-users, whose data has been stolen. In this particular example the plaintiffs represent more than 100 individuals who say that Progress Software’s security practices were negligent, resulting in their personal data being stolen. The complaint itself describes this data as ‘a gold mine for data thieves.
The victims are looking for damages in excess of $5million, having suffered from numerous phishing calls from scammers and unauthorised charges to payment cards. If this action is success, and with potentially, millions of individuals impacted, we would expect to see more of these lawsuits, potentially driving the company out of business.
Protecting yourself from the threat of a supply chain attack now has to be a priority for most businesses. The complex nature of most supply chains means that keeping an eye on vulnerabilities within each partner is almost an impossible task using traditional methods.
The old methods of relying on questionnaires and the honesty of partners can no longer be enough to ensure that supply chains are secure. Some companies are turning to AI solutions to help gain a 360-degree view of potential vulnerabilities lying within their partner network. This allows companies to contact partners to close any gaps in cybersecurity, before they are exploited by cybercriminals.
With the consequences beyond the headlines now so severe companies have to turn to the latest technology to ensure that they are protecting themselves and their customers. The suc-cess cybercriminals have seen from supply chain attacks means that this approach is not going away. If anything, it is likely to get worse over the coming months. Arming themselves with a full picture of where the vulnerabilities lie in their partner network can help ensure they are closed before they are exploited.
