Understanding Third-Party Cyber Attacks
In today's interconnected digital landscape, businesses rely heavily on third-party vendors for various services, from cloud storage to software development to payment processing. While this outsourcing brings efficiency and cost savings, it also introduces a significant cyber security risk: third-party cyber attacks.
The recent MediSecure hack, where a breach in a third-party vendor's systems exposed sensitive patient data, serves as a stark reminder of this growing threat.
“MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems.
While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.
MediSecure takes its legal and ethical obligations seriously and appreciate this information will be of concern. MediSecure is actively assisting the the National Cyber Security Coordinator to manage the impacts of the incident. MediSecure has also notified the Office of the Australian Information Commissioner and other key regulators.
MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time.”
It's a wake-up call for businesses to re-evaluate their third-party risk management strategies. Whilst we eagerly await for the detailed report findings from this attack, I thought it would be a good idea to explain what these attacks are, and how to defend against them.
What Are Third-Party Cyber Attacks?
A third-party cyber attack occurs when a malicious actor gains access to a company's systems or data through a vulnerability in one of its vendors or suppliers. This can happen through various methods, such as:
Phishing Attacks: Targeting employees of the third-party vendor with malicious emails or links.
Exploiting Vulnerabilities: Taking advantage of unpatched software or weak security configurations in the vendor's systems.
Supply Chain Compromise: Introducing malware or malicious code into the vendor's products or services, which then infect the end user's systems.
Previous Prominent Third-Party Attacks
Third-party attacks are by no means a new attack vector; however, they are occurring more commonly as threat-actors have discovered the potency of supply-chain cyber vulnerabilities as a method of entry into their primary target. Of course the most recent and prominent attack with MediSecure is still under investigation, but here are some examples of prior successful attacks of a similar nature:
Microsoft Exchange Server Attacks (2021): This widespread attack, attributed to a Chinese state-sponsored group known as Hafnium, exploited multiple zero-day vulnerabilities in Microsoft Exchange servers. The attackers gained access to email accounts and installed malware, impacting tens of thousands of organizations worldwide. The attack highlighted the risks associated with widely used software and the importance of timely patching.
SolarWinds Supply Chain Attack (2020): This sophisticated attack involved the compromise of SolarWinds' Orion software, a widely used network monitoring tool. The attackers inserted malicious code into software updates, which were then distributed to thousands of SolarWinds customers, including major government agencies and corporations. The attack demonstrated the potential reach and impact of supply chain attacks, where a single compromised vendor can lead to widespread breaches.
Why Are Third-Party Attacks on the Rise?
Several factors contribute to the increasing prevalence of third-party cyber attacks:
Increased Outsourcing: Businesses are outsourcing more functions than ever, expanding their attack surface and introducing potential vulnerabilities. This is made worse by businesses and their vendors not communicating and standardising their cyber security policies.
Sophisticated Threat Actors: Cybercriminals are becoming more sophisticated, targeting third-party vendors as a stepping stone to reach larger, more lucrative targets. And this makes sense as the bigger targets are likely heavily investing in their cyber security, but the same can’t be said for some of their smaller vendors who don’t have the same budgets to spend on an area that may not be as important to them.
Complex Supply Chains: Modern supply chains are complex and often opaque, making it difficult to assess and manage third-party risks effectively.
The Devastating Impact of Third-Party Breaches
The consequences of a third-party cyber attack can be severe, including:
Data Breaches: Loss of sensitive customer data, intellectual property, or financial information.
Operational Disruption: Interruption of critical business processes, leading to financial losses and reputational damage.
Legal and Regulatory Penalties: Non-compliance with data protection laws can result in hefty fines and legal action.
Loss of Customer Trust: A breach can erode customer confidence, leading to loss of business and long-term damage to the brand.
How to Protect Your Business from Third-Party Cyber Attacks
Here are some essential steps businesses can take to mitigate the risk of third-party cyber attacks:
Comprehensive Risk Assessment: Conduct a thorough risk assessment of all third-party vendors, considering their access to sensitive data, security practices, and overall risk profile. If access to sensitive information or access to administrative privileges isn’t essential for their functionality, a vendor should have that level of access removed or at least mitigated.
Strong Vendor Contracts: Include robust security requirements in vendor contracts, holding them accountable for data breaches and requiring them to maintain adequate cyber security measures. This could be as simple as checking if the vendor complies with ISO 27001. If your business is a vendor to larger companies, you may want to look at some form of certification, or at minimum be able to demonstrate your compliance with a framework such as ASD’s Essential Eight. More on frameworks and standards can be found here.
Continuous Monitoring: Regularly monitor vendors' security posture, looking for any signs of vulnerabilities or suspicious activity. For small businesses this may not be practicable,
Incident Response Planning: Develop a comprehensive incident response plan that includes procedures for dealing with third-party breaches, ensuring a swift and coordinated response.
Employee Awareness Training: Educate employees about the risks of third-party attacks and the importance of following security protocols when interacting with vendors.
Threat Landscape Awareness: Keeping your business up to date with current cyber threats and known vulnerabilities will help you remain protected and patch vulnerabilities before they are exploited by attackers. This can be achieved by signing up to threat alerts from the Australian Signals Directorate.
The Future of Third-Party Risk Management
As third-party cyber attacks continue to evolve, businesses must adopt a proactive and comprehensive approach to risk management. This includes:
Adopting a Zero Trust Model: Assume that any third-party vendor could be compromised and implement security measures accordingly.
Leveraging Technology: Utilize security tools and platforms to automate risk assessment, monitoring, and incident response.
Collaboration: Foster collaboration with vendors to share threat intelligence and improve overall security posture.
By taking these steps, businesses can better protect themselves from the hidden threat lurking in their supply chain.