Kaseya Ransomware Attack: Is Your Organization Prepared for Third-Party Cyber Risk?IT GRC/Cybersecurity | 3 Min Read |07 July 21|by Hrishikesh Choudhari
Yet another cybersecurity incident has highlighted the vulnerabilities of the extended enterprise. Just ahead of the Fourth of July weekend, up to 1,500 businesses worldwide fell victim to a ransomware attack centered on U.S. information technology firm Kaseya.
Understanding the Kaseya Ransomware Attack
Kaseya is a provider of IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses (SMBs). In a statement dated July 05, the company said that its VSA product was compromised in a sophisticated cyberattack, allowing the hackers to cripple the end customers with a massive ransomware attack.
Who is responsible:
As per reports, hackers from a cyber adversary group, REvil—the threat actors who were purportedly also behind the ransomware attack on JBS last month, were able to compromise one of Kaseya’s tools. They have reportedly demanded $70 million to restore the data.
In a press release, Kaseya said, “While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure...Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.”
In a statement, the U.S. Cybersecurity and Infrastructure Agency (CISA) said that it was taking action to “understand and address the recent supply-chain ransomware attack against Kaseya VSA”, adding that it “encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers.”
The UK's National Cyber Security Centre also issued a statement saying that they are “working to fully understand this incident and mitigate potential risks to the UK.”
The Growing Third-Party Cyber Risk
Security breaches via third parties are growing at an alarming rate both in terms of volume and sophistication. The major underlying reasons are the growing reliance on third parties for mission-critical goods and services and the amplified digital interconnectedness of organizations, further spurred by the COVID-19 pandemic.
The SolarWinds hack, the security breaches at Microsoft and Accellion, and now Kaseya, underscore the increasingly precarious digital environment businesses operate in today and how a security incident at one organization can quickly travel and paralyze several other connected businesses. According to the 2021 Ponemon Institute report, more than half of the survey respondents said that their organization has experienced a data breach caused by third parties.
Technology-Driven Approach to Third-Party Risk Management (TPRM)
Organizations today need to be proactive regarding the management of their third-party relationships and extended enterprise. Here are few key considerations for an effective TPRM program:
- Establishing a common nomenclature for onboarding, assessing, monitoring, and off-boarding third parties and centralized repository of all related information
- Ensuring clear and comprehensive documentation with well-defined clauses that provide clarity to third parties on what they need to do, including how to handle sensitive data after the contract has terminated.
- Implementing an effective third-party onboarding process which will help ascertain if the third parties are financially stable, secure, regulatory compliant, and more.
- Categorizing the third-party vendors based on the extent of their access to critical assets and impact on an organization’s margins and profitability
- Ensuring efficient fourth-party risk management to ensure visibility into the portfolio of the fourth and subsequent parties, identify the critical ones, and perform due diligence and raise red flags on an ongoing basis
A technology-based TPRM solution, embedded with these capabilities, can considerably simplify, structure, and streamline managing the entire third-party lifecycle—from their onboarding to contract termination. This approach will help organizations enhance their visibility into the risks posed by the third and subsequent parties and accelerate responses to risk events.
MetricStream helps organizations effectively manage third-party risks with its Third-Party Risk Management product. Its key capabilities, including Continuous Third-Party Monitoring, Periodic Third-Party Due Diligence, Intuitive Dashboards, and Reports, empowers organizations to protect their business from existing and potential threats from third parties, as well as strengthen resilience, contain costs, and optimize business performance. To request a demo, click here.