Over the Fourth of July weekend, Kaseya, a software vendor that provides endpoint management and network monitoring solutions, was the victim of a zero-day ransomware attack perpetrated by the Russian-based ransomware gang REvil.
Currently, the attack has impacted 1,500 businesses across 17 countries. Kaseya has only identified about 50 of its customers that were impacted by the breach. The attack was able to spread widely because many of those affected were managed service providers that provide IT services to small businesses.
How to decrease the likelihood of an attack
While it’s too late for those businesses affected by this attack, there are several things to consider that will decrease the likelihood of a ransomware attack in the future and mitigate its potential impact.
You can’t offload risk. Just because you hire a consultant to manage your IT doesn’t mean you should blindly trust them to prevent your business from being attacked. You still own the risk. If someone gains access to your sensitive data, even if they gain access through a third party, the responsibility and all of the ensuing fallout is yours.
Educate your employees. IT security awareness training for your employees should occur on a regular basis and cover common tactics hackers use to gain access, like phishing campaigns, which are easy to prevent with the proper education. Frequent training and reminders are crucial to preventing attacks. Even a monthly reminder about phishing and other threats is helpful.
Have an incident response plan in place. Cybersecurity incidents run the gamut from unauthorized attempts to access your systems or data to denial-of-service attacks and ransomware. It’s important to have a plan in place for you to respond to each type of incident so you can act quickly if/when they occur.
Incorporate third-party oversight in your plan. Have a plan in place to assess third parties across your supply chain. Know what the impact will be if a third party is compromised and whether or not that vendor has access to your network or data.
Utilize network segregation. You should segregate data networks from application networks, which should also be segregated from administrative networks. You should be the one managing communication between all of your networks and only open required ports, restricting all other communications. Additionally, you should monitor all communications occurring on your network. If there is talk that is outside of your baseline, investigate it.
Tips for assessing third parties
Implement a vendor security policy. Every business needs a vendor security policy for third parties that have access to your systems and data. A typical vendor security policy will include:
- What are the criteria for vendor risk ratings, vendor agreements, and vendor security requirements.
- What assessment methodology you will use.
- What to include in your vendor inventory.
- How you will treat risk.
- What is the process for terminating vendors.
- How the policy will be enforced.
Determine your data risk classification model. Most data risk classification models rank data from:
- Low (information that is readily available to the general public).
- Medium (confidential information that is used internally but lacks other contextual information).
- High (highly confidential information that includes personally identifiable information).
Streamline vendor intake. It’s essential to collect all the information you need to assess a vendor upfront so your InfoSec team has everything it needs to assign inherent risk to begin the vendor assessment process.
Decide on an assessment methodology. The inherent risk assigned to a particular vendor determines the thoroughness of the assessment and how frequently assessments will occur.
Utilize technology to streamline the process. A vendor assessment platform can streamline the process by consolidating all of your security reviews into one place while enabling you to collaborate with key stakeholders to identify and remediate potential risks.
How Whistic can help
Identifying potential risks from third party vendors is critical. Following the steps outlined above and utilizing a tool like Whistic to discover vendors, assess their potential risks, and implement a plan of action helps you ensure hackers are unable to take advantage of potential vulnerabilities in your environment.
Whistic Vendor Security will help simplify the vendor assessment process for your business by automating many of the key steps along the way and give you peace of mind that your customer data is protected.