The MOVEit computer virus recently surged back into the headlines with IBM and the Colorado Department of Health Care Policy & Financing confirming cyber-attacks that exposed the private health care data of millions of customers. The ensuing supply chain attacks have caused chaos for a growing number of victims spanning banks, hotels, energy giants and others. It’s no coincidence the events also saw the filing of five separate class-action lawsuits against Progress Software, the publisher behind the MOVEit file transfer application.
The breach, and the widening scope of damage, highlights the hidden risks posed by digital concentration risk – defined as high levels of dependence on massive, globally interconnected systems. In highly concentrated systems, a single vulnerability has the capacity to affect millions of entities. Various reports show at least 620 businesses and more than 40 million individuals have been impacted – over one-third via third party connections.
The incident underscores the constant battle to protect data and highlights the urgent need for a proactive approach to supply chain cybersecurity.
A Closer Look at the Attacks
Originating at IBM, the MOVEit attacks have affected hundreds of organizations, including the BBC, British Airways, Johns Hopkin’s University, multiple U.S.-based financial services firms, and even U.S. government agencies.
The breaches were carried out by exploiting SQL injection vulnerabilities, enabling hackers to access the server database. The CL0P ransomware gang was credited with the attack and has gone on a ransomware spree, contacting dozens of companies and demanding payments to prevent stolen information from being published online.
Six Steps to Respond Proactively
Though the situation is still unfolding, six key lessons have already emerged:
- Collaborate with Cybersecurity Teams & Identify Affected Third Parties: Engage procurement and cybersecurity teams to collaborate on guidance and developing vendor communications to determine which vendors use MOVEit. Unlike calls or surveys, automated platforms could identify likely affected vendors immediately and across sub-tier/extended supplier networks. Contact these critical vendors immediately and agree on mitigation strategies. If the enterprise maintains a legacy or manual systems, the only option may be issuing a manual questionnaire to vendors – which may take weeks to gather and analyze for vulnerability mitigation. If customer data has been exposed, take steps to notify them and review your vendor contracts for data breach notification requirements.
- Segment Critical Third Parties: Identify and group third parties and supply chain partners based on their criticality to continued operations – and their level of instability.
- Drill Deeper: Once critical third parties & supply chain partners have been identified, organizations need to drill deeper into risk sub-factors to understand their true vulnerability posture. When assessing vendors, it’s essential to consider everything from liquidity to cybersecurity breach history. Undertake exercises like threat modelling to further understand which vulnerabilities may pose the most risk to operations.
- Take Action: Develop an action plan to address findings. Long-term and short-term risks may require different remediation measures, such as focusing InfoSec teams on addressing specific CVEs.
- Perform Cybersecurity Due Diligence/Continuous Monitoring: In addition to immediate triage, it’s important to assess suppliers who furnish similar software to evaluate their cybersecurity practices as copy-cat attacks are a strong possibility. Again, automated risk assessment/monitoring applications will help here – provided they have insight across your supply chain.
- Stay Updated with Official Information: Monitor official information from Progress Software and other sources for updates.
Emphasizing Resilience by DesignTM
In a world of escalating supply chain cyber-attacks, the MOVEit breaches have highlighted the dangers of digital concentration risk and the need for robust third-party risk management practices. This incident is only the latest to emphasize the importance of proactively and continuously assessing enterprise supply chain cybersecurity backed by a robust incident response plan.
More broadly, the attacks stress the need for organizations to take control of risk for competitive advantage by ensuring resilient design in supply chain cybersecurity strategies. Per Interos’ latest annual survey of procurement leaders, cyber-attacks were the second-greatest concern for supply chain leaders, after supply shortages – costing large companies $43M a year, on average. Additional survey risk insights can be downloaded here.
By embracing Resilience by DesignTM, organizations can overcome risks, simplify their business, and deliver results. It’s not about avoiding the inevitable but about planning and reducing the impact and the time and resources required to restore normal operational performance.
Cyber-attacks and ransomware are inevitable – every organization will be impacted by one at some point – but with continuous multi-tier monitoring, and comprehensive recovery planning, we can minimize the damage and maximize profitability.