Just as the Fourth of July weekend was kicking off for many around the United States, so too was a significant supply chain attack on leading IT and security management software provider Kaseya.
The Kaseya software is commonly used by many managed service providers (MSPs) and small and medium businesses (SMBs). The attack, attributed to ransomware group REvil, leveraged vulnerabilities in its popular remote monitoring and management software VSA to compromise an estimated 1,500 Kaseya customers with ransomware.
The impact on these customers was immediate, encrypting their systems and making it difficult for them to operate over the holiday weekend. The attackers demanded $70 million from all victims together to assist in decrypting the data.
The Kaseya attack is the latest example of third-party cyber risk impacting a broad set of organizations under a single attack. Other high-profile examples this year include SolarWinds, Microsoft Exchange, and Accellion. The definition of third-party risk is risk that arises to an organization through its supply chain or outside parties where they may purchase products or services. This risk is particularly harmful if it is a software solution like Kaseya’s VSA that, by nature, has high-privilege access to company systems.
The number of attacks through third-party vendors has increased significantly over the past five years. Many companies will look to cut costs or realize efficiencies through outsourcing parts of their business to other companies. This is also true of the software supply chain, as companies look to turn over more critical functions to software and technology. According to a 2021 survey by the Ponemon Institute, more than half of leaders said a third party had caused a data breach at their organization.
According to Deloitte, there are three reasons for the recent increase in third-party risk. First, there is an overall increased number of incidents targeted at vendors. Second, economic pressures are pushing companies toward tighter margins and, as a result, face increased risk for disruption. Finally, regulators are increasingly focusing on supply chain risk.
For SMBs, the third-party risk is a critical area to pay attention to. Not only is risk rising quickly, but recent attacks have also shown that attackers are targeting some of the software that SMBs leverage to run their business successfully.
SMBs should ensure that they are taking the necessary steps to mitigate this risk, such as thoroughly vetting third-party providers and implementing strong standards and documentation for the relationship when it comes to cybersecurity. They should also ensure they take necessary steps internally to mitigate risk, such as leveraging multi-factor authentication, implementing least privilege principles, and regularly patching and updating systems.