Email Security

    Protecting Your Supply Chain From Ransomware

    Partner Access To Your Corporate Network May Make Good Business Sense, But Your Organization’s Risk Of Attack Rises If They Lack Cybersecurity Savvy.  

    by Mercedes Cardona

    Key Points

    • Enterprises are doing business with a growing number of third parties, adding complexity to their supply chains and placing them at a higher risk for a ransomware attack.
    • That means protecting your organization can’t be limited to just your organization.
    • Outside contractors, small vendors and independent consultants are attractive attack vectors for cybercriminals because they typically have access to — but lack the cybersecurity resources of — large companies.

    Most organizations have a hard enough time securing their own operations against cyberattacks targeting employees. But in this sharing economy of business partners, freelancers and contractors, securing the supply chain is just as important as keeping staff members from clicking on a phishing link that leads to ransomware.

    Approximately 60 managed services providers and roughly 1,500 of their downstream customers learned about supply chain ransomware attacks the hard way this weekend: They became ransomware victims when cyberattackers compromised Kaseya’s VSA remote monitoring and management IT middleware. According to Kaseya, only users of the on-premises version were compromised, not cloud-based customers.[1] The attackers are widely reported to be demanding a $70 million ransom.

    This latest attack has put many organizations on edge; in fact, 57% of organizations expressed concern about their ability to protect their supply chains and partners from ransomware, according to How to Reduce the Risk of Phishing and Ransomware, a white paper by Osterman Research. They also expressed low confidence in their contractors’ and consultants’ ability to recognize phishing emails, which have emerged as a major vehicle for ransomware attacks. Only 29% felt confident their contractors with network access could spot phishing attempts through email and only 26% felt confident that their contractors could spot phishing through other channels.

    In these work-from-home times, it’s worth noting that 72% of organizations don’t think they can effectively protect their employees’ home setups against use as an attack conduit; 63% said the same about their employees’ mobile devices. Resource-constrained small businesses, which cybercriminals view as weak links in the supply chain, can be particularly vulnerable. Indeed, one survey of 300 small defense contractors found nearly half had unpatched vulnerabilities, outdated software and other issues. The study turned up over 1,300 email security issues.[2] However, larger organizations with stronger or costlier security controls are not immune to security issues; in the face of a security monoculture like Microsoft 365, cybercriminals need only bypass the limited safeguards within the monoculture. Companies making use of a layered approach, such as defense-in-depth, are more confident in their ability to prevent an email-borne attack and are less likely to be severely impacted should one take place.

    Ransomware and Third-Party Attacks     

    The dangers and consequences of ransomware attacks have dominated news headlines: The FBI logged 2,474 ransomware complaints in 2020, with losses estimated at over $29.1 million.[3] But that’s likely a conservative estimate, since many victims never disclose the cost of their ransoms, let alone acknowledge paying them. For example, the FBI recently recovered $2.3 million from one cybercriminal organization, which was only part of what was paid in a recent attack. And as the agency pointed out, “This number does not include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services.”[4]

    Protecting organizations against supply chain attacks is a complicated process, especially in a global economy that relies on business partnerships. A typical supply chain may include customers, suppliers and distribution partners, all of which may be connected to the enterprise via digital portals to facilitate agile operations. However, it also leaves a company susceptible to more points of attack. A Ponemon Institute report recently found 74% of organizations that experienced a breach in the last 12 months said it happened because they gave too much privileged access to third parties.[5]

    Network access also becomes harder to manage. Alarmingly, the Ponemon study found 54% of organizations don’t have a thorough inventory of all the third parties that can access their networks, and they can’t identify which ones have access to their most sensitive data.

    Riding herd on those users without proper visibility can be impossible, especially if oversight of third parties is split among internal organizations, including IT and operations. The Ponemon study found 59% of organizations had no centralized control over third parties with access to their systems.

    How to Stop Supply Chain Ransomware Attacks

    So how can organizations prevent ransomware attacks that come by way of their supply-chain partners? A few best practices can be helpful.

    • Gain visibility: Map your data flow, including any data that comes from third parties. Know who owns that data and who’s responsible for keeping it clean and safe.
    • Get to know your third parties: Learn how they use your systems and what protections they have against cybercrime, if any. Evaluate their security policies, such as how they handle their data backups and notifications of security breaches. A simple questionnaire can give you all that information, plus more, such as transaction volumes and the sensitivity of the data they handle.
    • Establish governance: Once you know where your data is and how it’s being used, establish some guardrails to protect it. Not all users need an all-access pass to your system, so consider limiting third-party access to relevant users and limiting their access privileges within the network. This “least-privilege” access can be a good starting point for handling partners. Establish a process to review access and privilege policies regularly, so users are kept up-to-date.
    • Invest in training: Human error is the source of most security breaches.[6] Security awareness training can help. Nearly two-thirds (62%) of the organizations in the Osterman survey said training users to recognize phishing was effective. With the rise of brand impersonation attacks, it’s worthwhile to teach staff to vet even those emails that appear to come from vendors and partners.
    • Review your security toolkit: Sixty-two percent of companies surveyed by Osterman said adding multifactor authentication, requiring some verification of identity, and the ability to remove suspected phishing emails from multiple mailboxes were effective ways to curb breaches. Additionally, new anti-phishing tools that use artificial intelligence and machine learning can be effective.

    The Bottom Line

    The Kaseya incident this weekend is only the latest in a long string of high-profile ransomware attacks. Ransomware will continue to trouble enterprises as cybercriminals continue to become more organized and sophisticated in their schemes, according to the Osterman report. Unfortunately, less than one-third of organizations are confident in their supply-chain partners’ ability to recognize they’ve been targeted by a phishing email, which puts the entire supply chain at risk. A few best practices, however, can go a long way in keeping the supply chain protected.


    [1]Updates Regarding VSA Security Incident,” Kaseya

    [2] Defense Industry Supply Chain & Security 2021, BlueVoyant  

    [3] 2020 Internet Crime Report, FBI 

    [4] "Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside," Department of Justice

    [5] A Crisis in Third-party Remote Access Security, SecureLink/Ponemon Institute  

    [6] The Psychology of Human Error, Tessian

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top