There are not many details about the Kronos ransomware attack. In a press release, Kronos acknowledged, “unusual activity impacting UKG (United Kronos Group) solutions using Kronos Private Cloud”, which turned out to be a ransomware attack. Beyond the previous statement, Kronos has not made information about this incident public.
In December 2021, Kronos, a provider of cloud-based payroll and HR management solutions, suffered a ransomware attack. Over 8,000 companies using Kronos’ software were impacted by the attack! Healthcare providers, as well as high-profile clients including Whole Foods, Tesla, and PepsiCo could not process payroll. The consumers of Kronos’ services were understandably frustrated and alarmed. For some, it caused such a massive disruption that they pursued legal action (for damages). Remember, it was Kronos that was attacked, not any of its clients. Each client was directly impacted through an indirect means.
Ransomware attacks can infect networks using different methods including phishing emails, compromised user credentials, and brute-force logins, among others. It infects networks with malicious software that locks or encrypts files. The intent is to restrict those who are attacked from accessing their data. The attackers will often demand a ransom to decrypt data. Even if the ransom is paid, there are no guarantees the attackers will unlock the data. Many speculate that Kronos paid the ransom to regain access to their encrypted data.
What Does a Ransomware Attack Look Like
Information Technology (IT) infrastructure used by businesses is comprised of hardware and software. Robust protection measures are imperative for both components of said infrastructure. Industry recommendations and best practices urge businesses to understand the importance of an effective cybersecurity strategy. One component of an effective cybersecurity strategy is working with a consulting organization such as PSM Partners who employs qualified personnel to provide cybersecurity services. Unfortunately, even if your digital assets are properly protected, your business can be negatively impacted by a ransomware attack targeting a third-party vendor.
While you cannot directly protect your IT systems from attacks on third-party vendors, you can take steps to minimize the risk. The Kronos ransomware attack highlights the importance of third-party vendor risk assessments. In this guide, we will discuss actions you can take to minimize cybersecurity risks from third-party vendors, and how to respond in case of an attack.
How to Manage Cybersecurity Risks from Third-Party Vendors
It is up to application vendors to effectively manage their own cybersecurity posture. Thus, preventing attacks that can negatively impact their clients.
Businesses should take the following actions to manage third-party risks:
1.Evaluate Security Measures Taken by Vendor
When evaluating vendors, ask them to provide documentation on their security policies and controls. Assess their protective measures, and determine whether they meet or exceed your risk tolerance.
2.Rank Potential Vendors using a Risk Profile
Once you have thoroughly vetted potential vendors, rank them based on the risks they present to your business. Choose the vendor which meets your requirements and represents the lowest risk to your business.
3.Create Redundancies for Critical Operations
If your internal operations or systems depend on third-parties, ensure you have proper redundancy. This includes, but is not limited to, a Business Continuity and Disaster Recovery plan.
What to Do When a Third-Party Software Vendor is Attacked
If one of your software vendors is compromised, take the following actions:
1.Immediately Evaluate the Risk to Your System and Operations
As soon as you find out that a vendor was compromised, immediately evaluate the impact it can have on your operations. Specifically determine how your business may be affected if the vendor’s software goes offline.
2.Protect Your Network
If you have a direct connection (such as a Virtual Private Network aka VPN tunnel) with a compromised third-party vendor, sever the connection right away. In addition, begin scanning your network for suspicious activity.
3.Change Passwords and Establish MFA
It may be difficult to determine what data and information was taken, if any, by the attackers. At the minimum, you should change all passwords for accounts in the vendor’s application. If you detect abnormal or suspicious activity for internal accounts, change those passwords as well. Lastly, and most importantly, if you haven’t already enabled multi-factor authentication (MFA), do so immediately!
4.Talk to IT Service Provider
If you work with an IT managed services provider (MSP), call them promptly so they can assist with triaging the issue. IT professionals can assist with assessing the damage, implementing steps to protect your network, and work to resolve the issues caused by the attack.
Protect Your IT Network with PSM
The Kronos ransomware attack shows just how important it is for businesses to manage their third-party vendor risk. An attack on a third-party vendor can directly impact the operations of your business. Having an incident response plan will greatly reduce the risks to your business and critical operations.
At PSM, we provide cybersecurity services to help protect your infrastructure from malware, data breaches, and other threats. Our professionals take a comprehensive approach to secure and monitor all aspects of your IT systems. In addition, we can also provide third-party vendor risk assessments.