Evide hack shows how we must take third-party security management more seriously
This week, another hack effecting vulnerable end users in Ireland and the UK will have caused a great deal of stress and anxiety for the people and organisations involved.
The nature of these attacks are shocking. When cyber hacks hit the news, it can be a timely reminder of the need to raise awareness and understand the responsibilities and risks associated with managing IT security. The majority of cyber incidents never make the news - but be under no illusion, companies are being attacked on a daily basis.
Unfortunately, in this case, we seem to have a similar situation to the HSE hack of 2021, in the sense that the ultimate victims are vulnerable people. Initial indications are that the likely onward use of the data will be to attack individuals, as their personal data is valuable in terms of scamming them for more money.
This is a horrible situation for the non-profit organisations involved and their vulnerable clients who have had their data stolen. The uncertainty of what will happen next will lead to frustration and anxiety and there is no defined timescale as to when some or all of the data will be used. Ultimately, hackers are unscrupulous, all they care about is making money.
We thought it might be useful to further explain why these types of attacks happen, and what organisations can do to protect themselves. In our experience, this is an emerging and evolving threat, which organisations may not be aware needs to be managed. So here's a small guide on what you can do to avoid a similar incident effecting your organisation.
Why attack a third-party provider?
There are some lessons for companies in general here. In this most recent case, the attack has been on a third-party company providing services through a SaaS (Software as a service) platform. The vast majority of companies use some form of SaaS provider, and understanding the risks associated with this is imperative to any well run cyber program. In the 2021, approximately 17% of all cyber incidents originated from a third party provider. This is up from 1% in 2020, showing that hackers will continue to evolve their attack methods to get better results. Why is this evolving threat coming to fore? Simply put hackers can get access to multiple companies data by breaching one SaaS provider, allowing them to make more money, the ultimate goal.
So what can defending organisations do?
Software-as-a-Service (SaaS) providers are a common third-party vendor that organizations rely on for various business needs, ranging from HR management to customer relationship management. However, these vendors may also pose significant cybersecurity risks to organizations if their security measures are inadequate. To help organizations manage their third-party cyber risks with SaaS providers, we have listed some essential steps that they should take:
Identify and categorise SaaS providers: The first step in managing third-party cyber risks is to identify all SaaS providers that the organization uses. Then, categorize these vendors based on the criticality of the services they provide and the potential impact of a security breach. This categorization will help prioritize the efforts required to manage the risks associated with each vendor and we would recommend a tiered approach which would limit the effort based on criticality (for example - there is no need to perform detailed risk assessment on low criticality providers)
Conduct a risk assessment: Once the vendors are identified, the organization should conduct a risk assessment to evaluate the level of risk associated with each vendor. The assessment should include the vendor's security policies and procedures, their data handling practices, and their compliance with relevant regulations and industry standards.
Establish cybersecurity requirements: Organizations should establish cybersecurity requirements that SaaS providers must meet. These requirements should cover the vendor's security policies, incident response procedures, access controls, and encryption protocols. The requirements should also include provisions for regular security assessments and audits.
Review vendor contracts: Organizations should review their contracts with SaaS providers to ensure that they include cybersecurity requirements and liability clauses in case of a security breach. Contracts should also specify the level of access that the vendor has to the organization's data and outline the organization's data ownership rights.
Monitor vendor compliance: Organizations should monitor SaaS providers' compliance with their cybersecurity requirements regularly. This monitoring can include regular security assessments, reviewing the vendor's security reports, and conducting periodic audits. If the vendor fails to meet the established cybersecurity requirements, the organization should take corrective action, which may include terminating the contract.
Develop an incident response plan: The organization should develop an incident response plan that outlines the steps to be taken in case of a security breach involving a SaaS provider. The plan should include steps to contain the breach, notify affected parties, and mitigate the impact of the breach.
Train employees: Finally, organizations should provide cybersecurity training to their employees to raise awareness of the risks associated with SaaS providers. This training should include guidance on selecting and managing SaaS providers, identifying and reporting security incidents, and following established security policies and procedures.
In conclusion, managing third-party cyber risks with SaaS providers is essential for organizations to protect their data and maintain their reputation. By following the above steps, organizations can establish a robust cybersecurity program that minimizes the risk of security breaches involving third-party vendors.
If you need help in this area, VISO can provide advice, guidance and solutions to help gain a level of understanding of your cyber risk. Get in touch to hear more. https://www.viso.ie