Supply chain cyberattacks seen as catastrophic for business
In the wake of the MOVEit ransomware cyberattack, a leading cybersecurity expert warns that back door supply chain cyberattacks have the potential to put organisations out of business.
The MOVEit cyberattack saw a ransomware gang hack into multiple company networks and steal data. The vulnerability was first flagged by security researchers and the US government in early June.
MOVEit is a managed file transfer software service that encrypts files and uses secure File Transfer Protocols to transfer data. It also provides automation services, analytics and failover options.
Organisations to have suffered data breaches as a result of the hack include accounting firm PwC, professional services company Aon, the BBC, British Airways, Aer Lingus, Boots, Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Conizant and AbbVie.
MOVEit was used by most of these companies to transfer payroll information, which means data taken by the Russian hackers has the potential to impact millions of people.
“It’s just another example of how effective a supply chain attack can be for cybercriminals,” says AJ Thompson, CCO at London-based IT consultancy Northdoor.
Back door supply chain attacks 'can be fatal'
Speaking to Supply Chain Digital, he added: “One attack on a single company has the potential to give criminals access to hundreds of companies across the globe, giving them access to huge companies without having to navigate through the often-comprehensive front-line defences.”
Thompson says that supply-chain attacks can negate any front-line cybersecurity investment made by potentially thousands of companies.
He says: “These types of attacks, especially when such large companies are involved, will always grab the headlines. The stories are high-profile and for a few days will engage the public and raise the awareness of cyberattacks.
“But once the headlines die down the far-reaching effects of attacks continue on. For example, the company where the attack originated means their reputation is damaged, sometimes, beyond repair.
“The victim also suffers financial consequences, with customers leaving and its ability to find new customers also impacted.
And he adds that victims have to not only deal with the immediate economic impact of a hack but also the fact that their solution is replaced with alternatives, while it’s being checked for bugs.
He adds: “There are more regulations than ever surrounding the protection of data. If a company is found to have fallen below the standard set out by the various regulations, then they can be fined, sometimes huge amounts of money.
“This often means that they are back in the headlines, causing further damage, not just to their bank accounts, but to their reputation.
Supply chain cyberattacks class-action risks
“Companies who have been attacked are also now at an increased risk of being sued by their former partners and their customers.
Progress Software, the makers of MOVEit, has now been hit by a class action lawsuit over its cybersecurity practices – not by the companies impacted by the hack, but end-users, whose data has been stolen.
The victims are looking for damages in excess of US$5m, having suffered phishing calls from scammers and unauthorised charges to payment cards.
“If the action is successful we can expect to see more of these lawsuits, potentially driving the company out of business,” says Thompson.
He adds: “Protecting yourself from the threat of a supply chain attack has to be a priority for businesses. The complex nature of most supply chains means that keeping an eye on vulnerabilities within each partner is almost an impossible task using traditional methods.
“Relying on questionnaires and the honesty of partners can no longer be enough to ensure that supply chains are secure. Some companies are turning to AI solutions to help gain a 360-degree view of potential vulnerabilities lying within their partner network.
“This allows companies to contact partners to close any gaps in cybersecurity, before they are exploited by cybercriminals.”
“The success cybercriminals have seen from supply chain attacks means this approach is not going away. If anything, it is likely to get worse over the coming months.”
