The Third-Party Risk Perspective on Microsoft Hack

Introduction

Earlier this month, tech titan Microsoft reported a state-sponsored cyber breach which is said to have impacted thousands of businesses around the globe.

In a blog post, the Microsoft Threat Intelligence Center (MSTIC) attributed this breach with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China. The group was able to exploit vulnerabilities in the on-premises Exchange Server which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.

In this hyper-connected business environment where we depend on multiple organizations to run our business smoothly, the cyberattack surface is continuously expanding and not limited to your infrastructure only. It is imperative that organizations continuously monitor the relevancy and effectiveness of their cyber risk management programs as well as of their partners with whom they are sharing sensitive information to identify and address any vulnerable areas or loopholes. The situation is further exacerbated by the growing interconnectivity of organizations resulting from the accelerated pace of digitalization. As such, organizations are left with an extremely short window of time to react to any emerging or existing risk event.

An organization is only as strong as its weakest link. With the proliferation of an organization’s third-party network, the number of potential points of failure also grows. To successfully manage the vast network of suppliers, ensuring visibility into supply chain hierarchy and the mapping of the third parties to products, services, fourth and subsequent parties, and business units becomes critical.

The Growing Problem of Third-Party Breaches

Third Party breaches has been on the rise for quite some time. There has been more than 25 breaches because of third parties in just 3 months of 2021 including the big names like Facebook, Instagram, LinkedIn, Supply chain for Audi, BMW, Mercedes, Porsche, Saab, Volkswagen and Volvo across North America, Microsoft, Singapore Airlines, Qualys, Airbus, Air Caraïbes, ArcelorMittal, BT, PWC Russia, etc.

The most recent Microsoft hack has underscored how third-party risks can make multiple organizations susceptible to illicit actors.

In this incident, thousands of organizations worldwide using Microsoft Exchange Server—a mail and calendar server and collaboration solution—were impacted. While the Windows-maker said that it quickly deployed an update for the Hafnium exploits, it is estimated that the breach affected at least 30,000 organizations across the U.S., including small businesses, towns, cities, and local governments, and 60,000 computer systems in Germany. The full scale of the impact is expected to become clearer in the forthcoming weeks.

What makes this hack graver is the fact that organizations using the Exchange Server could not have prevented it as this was a zero-day exploit. The European Banking Authority (EBA) took its email systems offline following the incident. In a subsequent update on the matter, it said that the scope of the event was limited and that the confidentiality of the EBA systems and data has not been compromised. Meanwhile, U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.

That said, organizations must not let their guard down when dealing with third-party risks. To thrive in today’s digital era, they need to implement a well-defined third-party risk management program that provides an integrated, real-time view of the extended enterprise. A robust, technology-driven program will help organizations automate the entire third-party risk management lifecycle, thereby improving visibility into the risks posed by the third and subsequent parties and accelerate responses to risk events. Also, organization should focus on having a robust business continuity program in place to help them running critical business function in case of these disasters.

MetricStream helps organizations effectively manage third-party risks with its Third-Party Risk Management product. With Continuous Third-Party Monitoring, Periodic Third-Party Due Diligence, Intuitive Dashboards and Reports, the product empowers organizations to protect their business from existing and potential threats from third parties, as well as strengthen resilience, contain costs, and optimize business performance.

To learn more about third-party risk management read MetricStream’s eBook, Boosting Third-Party Risk Management in a Time of Uncertainty, which delves into how third-party risks can expose organizations to a wider spectrum of risks if left unchecked. It also provides quick tips on how to review third-party risk management operating models and identify gaps or opportunities for improvement.