_ Cybersecurity __________________________________________________________________________________________________ Cybersecurity
Jonathan Wood says it ’ s time to MOVEit
What do the US Department of Energy , the BBC and Boots all have in common ? No , this isn ’ t the start of a bad joke . They are amongst the growing list of international organizations that have been breached as a result of the MOVEit software vulnerability .
But the risk of the MOVEit vulnerability extends far beyond the thousands of organizations around the world that use the software . A number of organizations that suffered data breaches were exposed through their supply chains . Take the payroll provider , Zellis . As a breached user of the MOVEit software , the employee payroll data of many of its customers has been exposed and stolen . This is a clear example of how it is not just third-party providers that present a security risk , as MOVEit is a fourth-party vendor to the breached clients . Indeed , whether it ’ s the third , fourth , fifth or nth party , it takes just a single weak entry point to introduce risk into the entire supply chain .
Mounting concern
While supply chain vulnerabilities of this scale don ’ t occur every day , the security risk of the supply chain is of growing concern to security and business leaders . According to WEF ’ s Security Outlook 2023 , business executives recognize how their organizations ’ cybersecurity risk is influenced by the quality of security across their supply chain of commercial partners and clients .
This is because most organizations are digitally connected to hundreds of suppliers and vendors . Weaknesses in a vendor ’ s security posture – which could come from their own supply chain – can lead to threat actors gaining access to a network and result in a data breach or the introduction of malicious software , for example , ransomware .
Sometimes these are “ smash and grab ” events , as seen with the MOVEit vulnerability , which was caught relatively quickly and based on insights from the industry , doesn ’ t appear to have leveraged broader access or steal specific high-value information . Others are stealthier . SolarWinds attacks , for example , attempted to avoid detection by disabling software systems before performing malicious activity .
The bottom line
Even if your business has the most robust internal security and risk polices and processes in place , third , fourth and even fifth parties could bring it all crashing down . From operational disruption and data breaches to ransom demands and regulatory fines , the cost of not taking this risk seriously is massive .
That ’ s why it is critical that security leaders actively consider and prepare for this risk and , in turn , the eventuality of an attack through their supply chain . These are five steps that should underpin how organizations prepare :
scw-mag . com 21