As a senior consultant I deal with customers across numerous industries and maturity levels. I am often engaged in conducting risk assessments or gap analysis aligned with common frameworks such as the National Institute for Standards and Technology’s (NIST) Cybersecurity Framework (CSF). Most, if not all, the frameworks have a few controls that focus on the organization’s backup processes and disaster recovery plans. A common response to these areas is that the client relies primarily on their cloud provider for their backups.
Often clients will have an additional form of backup as well, but occasionally the only form of recovery they have is wholly owned by their third-party cloud provider. There tends to be an assumption that since its “in the cloud” it is infinitely repeated and evenly distributed across numerous geographical locations and systems and therefor perfectly safe. While this may be the case, relying on a single backup source (in this case a cloud provider) is a recipe for disaster.
Towards the end of August, a Danish cloud provider was struck by ransomware and sent out a notice to its customers that they were unable to recover any of their systems or the data stored on them. All of the company’s emails, backups, and IT systems were affected and the company was both unable and unwilling to pay the ransom.
Before I dive into the meat of this post, I wanted to have a quick segue to explain what ransomware is. Put simply, ransomware is simply maliciously applied encryption. An attacker will gain access to an organization’s systems through any number of means, and then launch an attack which encrypts all accessible files the attacker can get at. The attacker will also include a note that explains how the victim can direct payment to receive the key needed to decrypt their files. The attacker may also threaten to leak the files as well if the ransom is not paid.
If the organization pays up, the attacker will almost always deliver on their end of the agreement and release the encryption key. If they won’t (or can’t) pay, the situation I described in the introduction is not a wholly uncommon result. New types of ransomware and new mechanisms for delivery and spread are created daily, but the core functionality is the same. Systems are breached, files are encrypted, and ransom is demanded. These attacks can come at any time and are not specific to any one industry market.
Verify, trust, and plan for failure
By this point you’re likely wondering (at least I hope you are) what you can do to prevent the damage from one of your critical vendors being unable to recover from a ransomware attack. I have good news, and bad news. The good news is there is something you can do about it. The bad news is that it’s going to take time, skill, and money, all things you had hoped to save by bringing on a third-party to begin with.
The first thing you’ll want to do is ensure you have some fallback plan. Ideally this would be a well-planned and documented business continuity plan alongside a disaster response and incident response plan. At the very least, however, you must have some ability to replicate the service provided by your vendor. This may be a manual process you can activate, a copy of the server/device configurations they host, or a copy of the data they hold or process on your behalf.
While it would be nice if we could trust that another business, group, or person would handle things in the same way we would, it is irresponsible to blindly assume that they will. After you’ve confirmed (or implemented) your ability to operate in the event of a vendor failure you will need to verify whether your provider is doing all they need to do to keep your business safe. It is not possible to prevent every failure, nor can you guarantee assessing a vendor will reveal all potential gaps, but it is your responsibility to take every reasonable measure to reduce the likelihood of a catastrophic vendor failure from effecting your business.
For assessing cloud vendors, current or future, one of the best ways is through the Cloud Security Alliance’s Cloud Control Matrix. Their offering, available for free online, includes a detailed questionnaire that you can use to gain a better understanding of your vendor’s security practices. They also offer guidelines for how to implement the controls they are looking at, guidance on how to audit the provided controls, and even map their controls to the following frameworks:
- CIS v8.0
- PCI DSS v3.2.1
- AICPA TSC 2017
- ISO 27001/02/17/18
- NIST 800-53 r5
In our interconnected world, threats aren't always just from internal sources; they can come from numerous external sources including from the very vendors the business relies on. Managing these vendor-originated threats is of critical importance and must be handled with the same rigor as all other cybersecurity risks. Third-party risk management encompasses a suite of activities from policy creation and detailed assessment procedures to stringent enforcement of security requirements.
Starting a vendor management program presents challenges – from its complexity to time-intensive nature. However, rather than simply shrugging and assuming it is too much work to accomplish, it's prudent instead to prioritize. Begin with your most critical vendors – those whose disruption can have maximum operational impact or those handling the most sensitive data. The criteria for prioritizing vendors can include their significance to daily operations, relevant financial implications, or the sensitivity of the data they store, collect, or process.
A resilient organization is one that identifies and secures its vulnerabilities, be it people, processes, or technology. This includes recognizing single points of failure that, if disrupted, could jeopardize the organization's functioning. Relying on a vendor doesn't negate the risk, nor does it transfer responsibility. The onus remains with the organization to mitigate risks stemming from vendor relationships. Remember, vendor selection is just the starting point. Vigilance, regular assessments, and robust risk management processes are what ensure the integrity of the vendor relationship and, by extension, the organization's cybersecurity posture.
After all, if a breach occurs at a vendor that effects your data or your operations it is not the vendor’s customers that will be upset, nor will theirs be the only reputation damaged. Their success, or failure, is tied to your organization’s brand and overall security and must be treated accordingly.
Resources & additional reading