In this article, we will focus on the key actions a Procurement Department can take to prepare, prevent, respond, and recovery when it comes to
ransomware attacks.
First, what is ransomware?
According to the U.S. Government’s Cybersecurity and
Infrastructure Assurance Agency (CISA(opens in a new tab)): “Ransomware is an
ever-evolving form of malware designed to encrypt files on a device, rendering
any files and the systems that rely on them unusable. Malicious actors then
demand ransom in exchange for decryption. Ransomware actors often target and
threaten to sell or leak exfiltrated data or authentication information if the
ransom is not paid.”
A few recent examples:
-
Colonial Pipeline: DarkSide, the company behind
the attack, targeted
the billing system and internal business network of the Colonial
Pipeline in the United States. The impact was widespread gasoline shortages in
multiple states. The FBI covered a significant amount of the $4.4 million paid
as ransom.
-
Brenntag: DarkSide also targeted Brenntag in a
similar way, receiving a ransom payment of $4.4 million as well (not yet
recovered.
-
CD Projekt Red: Attacked by HelloKitty hackers. The
result was encrypted devices and threats of leaked source code.
Other companies that experienced a major hack:
-
Acer
-
JBS Foods
-
Quanta
-
National Basketball Association
-
AXA
-
CAN
-
Kia Motors
The methods hackers use are constantly becoming more complex
and agile. Cybersecurity experts learn new ways to fight these threats each
day. The most prevalent methods are 2-factor authentication, strong and
effective firewalls/antivirus/anti-malware software, limited access to information
for each employee, and routine backups.
What role can Procurement take in contributing to security
success?
First, Procurement, Risk Management, and IT need to collaborate
when onboarding strategic partners. The strategic sourcing process is integral
in establishing the right tools and actions to protecting a company. We can
break this down into 4 major sections. Each is in relation to vendor interactions,
contractual requirements, and policies.
Prepare
Prevent
Respond
Recover
Prepare:
The safest way to prepare for a malware/ransomware attack is
to assume it is inevitable. The security organization will more likely have an
infrastructure in place to handle this. We should work this same mindset into
our partner relationships.
Procurement is encouraged to require vendors to prepare for
an attack in the same ways as their own organization. Partners can be mandated
to routinely backup client data, have safeguards in place, and have a full redundancy
plan in the event an attack occurs.
Prevent:
Procurement, Risk Management, and IT should collaborate on
choosing the best IT Security Partner (or in-house solution) to prevent a
malware/ransomware attack. When procurement facilitates strategic sourcing
projects, they can effectively collect the requirements from across the company
and ensure effective communication. Getting the right contract in place
requires cross-team functionality. Procurement is best equipped to make this
happen.
During supplier selection, an IT vendor
assessment/questionnaire should be worked into an RFP. This assessment aims to
test the partner’s cybersecurity strength and redundancies.
Respond:
Paying a ransomware attack is highly discouraged. Payments often
influence “copycats” and more malicious behavior.
As this becomes more common, contracts with vendors should explicitly
address how vendors should respond to ransomware attacks. The cost of the
ransom and the cost of not paying should be compared. Contracts should aim to
build every possible outcome and even stipulate who will be responsible for the
actions taken and how those impacted will be made whole.
Recover:
Speaking of being made whole, procurement can foresee this
by building in cybersecurity insurance requirements into each contract. This insurance
is specific and often not included in general insurance requirements. Setting limits
and requiring proof of insurance must become the standard moving forward. As seen
before, some attacks could require millions of dollars in ransom, or even more when
trying to recreate or deal with the ramifications of losing authentic data. Having
financial protection against this is key for a company’s survival. Ensuring vendors
can survive an attack is a key to business continuity.
In addition, when contracts ensure vendors/partners must
back up and store data securely, recovery is much less costly and difficult for
the clients. Procurement and Vendor Management can request vendors stress test
their systems and practice for if/when an attack occurs.
Post A Comment:
0 comments so far,add yours