Business Risk Starts Within...
In June a popular file-sharing software amongst big-name companies likes Shell, Siemens Energy, Sony, several large law firms, a number of US federal agencies such as the Department of Health and more was hacked by Russia-linked cybercrime group Cl0p. In its August 24 article, Security Magazine reported that, to date, there are 988 known companies impacted by the breach, resulting in the personal information of more than 59 million people being compromised. More are expected to emerge as the investigation continues.
If you’re reading that list of company names thinking, “I’m just a small business compared to these big guys – that won’t happen to me,” we’ve got news for you. Many of these companies have cyber security budgets in the millions, and it still happened to them, not because they were ignoring the importance of cyber security, but because of a piece of software they use to run their business.
Progress Software’s MOVEit, ironically advertised as a tool you can use to “securely share files across the enterprise and globally,” “reduce the risk of data loss” and “assure regulatory compliance,” was exploited by a tactic called a zero-day attack. This occurs when there is a flaw in the application that creates a gap in security and has no available patch or defense because the software maker doesn’t know it exists. Cybercriminals quickly release malware to exploit the vulnerability before the software maker can patch it, essentially giving them “zero days” to respond.
These attacks are dangerous because they are difficult to prevent and can quickly and easily ruin smaller businesses.
Depending on the organization’s motives, the stolen data can be deleted, held for ransom or sold on the dark web. Or, if you are lucky enough to recover your data, you might still end up paying out thousands or more in fines and lawsuits, losing money from downtime and coming out on the other end with a damaged reputation that causes clients to leave anyway. In MOVEit’s case, the cybercrime agency Cl0p has claimed on their website that their motivation is purely financial and has allegedly deleted data obtained from government agencies as they were not the intended targets.
What does this mean for small businesses?
For starters, it underlines the harsh reality that cyber security isn’t just the concern of big businesses and government agencies. In fact, small businesses can be more vulnerable to cyber-attacks, as they often dedicate fewer resources to protection. While the small business might think that no one is interested in their data, the threat actors know that it is important to the business owner and their clients. Using that leverage, either through ransomware or extortion, the threat actor often wins. Again, their motivations are most often purely financial in nature.
It also means that even if your organization is secure, the third-party vendors you work with and the tools you choose to use in your business still pose potential risks. Most of MOVEit’s customers that were affected likely had strong cyber security measures in place. Even though it was no direct fault of their own, at the end of the day, those companies still must go back to their clients, disclose what happened and take the verbal, legal and financial beating that comes with a data breach.
The MOVEit hack serves as a grim reminder of the critical importance of cyber security for businesses of all sizes. In the face of an increasingly sophisticated and fast-moving cyberthreat landscape, businesses cannot afford to ignore these risks. Cyber security must be an ongoing effort, involving regular assessments, updates, monitoring, training and more. As this terrible incident shows, a single vulnerability can lead to a catastrophic breach with severe implications for the business and its customers.
In the digital age, cyber security isn’t just a technical issue – it’s a business imperative.
An important facet of creating a cybersecurity aware culture in your organization is to ensure that all your business tools, service providers, and third party resources have been evaluated to determine what level of risk they impose on your organization. From there, determine what controls must be implemented to minimize that risk. When you consider your current IT provider, to what extent do THEY protect themselves from becoming a headache for you?
If you have ANY concerns about your own business or simply want to have a second set of eyes examine your network for vulnerabilities, we offer a FREE, objective Cyber Security Risk Assessment.
Click here to schedule a quick consultation to discuss your current situation and get an assessment on the schedule.
No comments:
Post a Comment