Supply chain attacks are an emerging kind of threat increasingly used by cyber criminals. The SolarWinds hack is a very recent case demonstrating the sophistication and the impact that this type of attack may have. A new culture is required by organisations to effectively manage this new reality; they need to enforce for the entirety of their third parties a minimum level of cybersecurity controls (both organisational and technical) prior to giving them access to any of their information assets. Given the vast number of third parties an organization may digitally interact with, a standardised, automated and holistic cybersecurity evaluation process should be in place.

We are likely to see more breach disclosures originating from the Accellion file-sharing data breach over the forthcoming months.

Business leaders can take appropriate action now to help maintain the trust with their customers, partners and employees. They can achieve this by carrying out due diligence with their organization to understand if the Accellion data file sharing tool is in use, and/or was in use in the past.

Being transparent with customers, partners and employees about this tool usage and potential exposure allows for appropriate actions to be taken.

A targeted ransomware organisation strikes again. Jones Day has said that the breach occurred because of a third-party was compromised. This attack by CLOP highlights the need for organisations to install robust security that defends themselves before their intellectual property is being stolen or altered.

This is a good example of a trend that we have seen emerging in 2020 and will continue to rise in 2021, that security protection tools have been (and will be) bypassed. It is becoming an emergency for companies to start thinking about detection strategies instead of protective measures. In this case, it appears that the trust in a third-party service has led to a breach.

As Ransomware gangs are becoming ever more opportunistic, and it is critical that security operations teams are able to pervasively detect and respond to attacks. Detecting and responding to indicators of possible malware lurking on a network can make the difference between a contained incident or a damaging organisation-wide outage, breach or significant financial loss. 

In situations such as these, the performance and analytical power of AI can be hugely beneficial for organisations needing to detect the subtle indicators of targeted ransomware behaviours and the misuse of privileged credentials from networks and the cloud. With AI, this can be done at a speed and scale that humans and traditional signature-based tools simply cannot achieve. Ransomware will continue to be a potent tool in cybercriminals’ arsenals as they attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets. It is therefore vital that organisations take all the necessary requirements to detect and respond to attacks that can potentially cause damage to their customers, as well as to themselves.

The breach suffered by Jones Day, a prominent law firm in the US, is not the first incident of CLOP ransomware that we’ve seen recently, and it is a strong reminder to companies to ensure tighter security on their networks.

With the threat of ransomware only continuing to increase, in order to protect themselves and their customers, organisations need to take the more pragmatic approach of assuming breach and not trust any traffic, inside or outside the network. Instead, only grant users access to what they absolutely need in order to do their jobs, and block the rest of the traffic by default.

Micro-segmentation can often help limit the reach and impact of ransomware attacks, allowing companies to easily isolate breaches, prevent lateral movement and enforce granular security policies. Further, granular and real time visibility into network activity enhances the ability of security teams to detect potentially malicious behaviour. Breaches like these are a good reminder for organisations to pause, take stock and ensure they are protecting their networks from opportunistic cyber criminals to the best of their ability.

The Accellion breach highlights one of the key weaknesses of external file transfer systems, but also the over-arching issue of security versus convenience. When uploading any kind of sensitive file to an online repository, document transfer service, or even attach it to an email, it is best practice to encrypt the said file, and then provide your intended recipient with the decryption key through alternate means. This ensures that should a breach occur, your files are not in plaintext for the taking. It may be tempting and convenient to trust reputable external services, but when it comes to sensitive files, such as the legal documents affected in this case, there is no substitute for robust encryption and keeping unprotected instances local only.

This second breach of a customer of Accellion highlights the importance of ensuring that services used by an organisation are properly secured and that vendor security is taken seriously, as when you use their services you are still responsible for the data they handle for you. In order to manage and identify any risks introduced by third-parties, it is best practice to include them in the security assessments of your organisation. When doing this make sure that contracts with vendors allow for this and also stipulate to the vendor their security obligations and your security requirements. Vendors should always be considering security in their offerings themselves. They should also take seriously good security practices when developing their services- performing security assessments, and implementing any identified remedial actions, as well as those reported to them from their customers.

In recent years legal and accountancy firms have been increasingly targeted as a pivot point to access data for larger organisations that are clients of these firms. This is because it is understood that associated legal and accountancy firms may not have the level of rigour in terms of cybersecurity that their clients may have implemented. Unfortunately, these firms may hold or be custodians to very sensitive data, but not have the controls to protect it. You can outsource the service, but you can’t outsource the risk.

Attackers will always go for the weakest link and it's quite easy to identify where that is by examining corporate financial return or corporate announcement documents.

What we are seeing now are the effects of the Accellion intrusion from December, which has already been discussed in relation to for example Singtel and others. It’s an external file-sharing solution that’s decades-old and has been used by several organizations. As we are seeing more and more data related to the breach hitting the news, other organizations that have used the services should review and prepare processes to inform any clients and any individuals for whom data has been processed on this platform. Noting that we are approaching a two-month mark from when the breach likely occurred, those who suspect they may be affected should consider informing any affected data subjects at the soonest in line with current privacy legislation and not wait and hope for the best.