Last month, PricewaterhouseCoopers (PwC) publicly addressed the repercussions of a significant cyberattack campaign that specifically targeted the popular MOVEit file transfer tool. This campaign, orchestrated by the Russian-speaking cybercriminal group known as « Clop« , took advantage of a vulnerability in Progress’ MOVEit product, which PwC had been utilizing, resulting in “limited” impacts on both the company and its clients. Furthermore, the cybercriminals from the same group made claims about obtaining data from Ernst & Young, adding to the magnitude of the cyberattack.
Described as a « supply-chain attack, » this kind of cyberattack highlights the inherent information security risks that major organizations face today, particularly when dealing with external suppliers. It also serves as a painful reminder that the security posture of any organization is only as strong as the weakest link in their supply chain.
Despite implementing robust internal security measures, renowned organizations can still be exposed to risks beyond their control when utilizing external solutions, making the management of third-party risks a complex and challenging endeavor. In this case, the cyberattack did not target PwC directly (PwC reassured that its own IT network remained uncompromised), but rather leveraged a vulnerability in Progress’ MOVEit product, leading to potential impacts affecting both PwC and its clients.
While implementing Zero Trust principles, such as thorough third-party risk management monitoring, is crucial for enhancing cybersecurity and diminishing the impact and probability of « supply-chain attack » risks, it is safe to assume that no amount of security measures can provide an absolute guarantee against the ever-evolving threats in the digital space. Rather, the true focus and “endgame” should lie in effectively embracing and leveraging these principles to build trust within your ecosystem. By embracing Zero Trust as a foundation for fostering trust, organizations can not only strengthen their security measures but also cultivate strong partnerships and collaborations with ecosystem members.
Embracing the paradox of fostering trust through Zero Trust principles involves acknowledging that while conducting comprehensive risk assessments, exercising due diligence, and continuously monitoring third-party providers’ security practices will not grant complete immunity to potential « supply-chain attacks, » these proactive measures are fundamental in identifying supply chain weaknesses and gradually fostering trust with ecosystem partners over time.
In the long term, fostering an ecosystem of trusted partners who share commitments to information security and possess similar maturity levels will be essential to securely and efficiently navigate on a competitive business landscape, contributing to a more resilient and secure business environment.
Discover how our managed service solution, Supplier Shield™, can help bolster your third-party risk security practices, cultivate a trusted ecosystem, and protect your operations amidst an unpredictable threat landscape.
Also, reach out to Abilene Advisors and learn how to demonstrate your commitment to information security within your ecosystem by getting ISO27001 certified.
References:
PwC Data Breach: Stolen Info Now Available On .com Domain (thecyberexpress.com)
PwC: ‘Limited’ Client Data Impacted In MOVEit Cyberattacks | CRN
