Mark Kirstein, CISSP, VP Customer Success
A real-world example:
This case study is about the same ransomware security incident, impacting the supplier and the client.
- Company 1: “Midco”
- A mature information security program
- Contracted “SupplierCo’s” software
- Managed the security incident nearly flawlessly
- Company 2: “SupplierCo”
- Software vendor, with virtually no information security program
- 20 year old company was forced to cease operations 3 days post-incident
Our visibility into a recent cyber security incident serves as an ideal case study exposing the consequences of having a robust security program, or having none at all. Both were revealed in the same cyber security incident: a ransomware attack.
Let’s start off with Cosant’s client. We’ll call our client “MidCo”, for this case study. The details are obscured for anonymity. MidCo is a mid-sized business, with a robust, yet still maturing information security program. Here’s a quick look at MidCo:
- Several hundred million dollars of annual revenue
- Many large, enterprise clients
- Vast volumes of both Personally Identifiable Information (PII) and sensitive financial data.
- MidCo’s services are vital to the daily operations of their clients
- The security program has all the requisite requirements, including documented policies, plans, processes and standards, as well as robust technical controls. All of these are operationalized, not just shelfware.
- Many industry-specific security compliance requirements implemented, including PCI, SOC 2, and FISMA.
Of principle interest for this case study, MidCo has a comprehensive 3rd-party vendor management plan. Among the standard processes for 3rd-party vendor management is a security screening for each new supplier. The screening identifies the level and category of risk associated with the supplier. If the supplier can’t qualify for a minimum level of security, they’ll be disqualified. If they qualify, but demonstrate high risk, then we apply additional compensating controls for the supplier.
Enter the second company involved in our case study: a supplier of specific software services for our client. Here’s what our software supplier, we’ll call them “SupplierCo”, looks like:
- A small software business, providing data services & monitoring
- Approaching 20 years in business
- Approximately 50 employees
During the supplier selection process, MidCo reviewed SupplierCo’s security position, per MidCo’s 3rd-party vendor management plan. SupplierCo’s security position was identified as “high risk”. The principal risk associated with SupplierCo was availability.
Despite the risk, MidCo decided to utilize SupplierCo’s software. As directed by the 3rd-party vendor management plan, additional controls and monitoring of SupplierCo’s software and operations were put into place. Fast forward six months. Over a recent weekend, SupplierCo was the victim of a ransomware attack which brought the company’s operations and software to a screeching halt. The compromise was identified quickly by MidCo, and MidCo’s Incident Response Plan was triggered into action. MidCo stepped through its incident response meticulously, and quickly contained the impacts of the breach. Once contained, MidCo identified actions to restore availability of an alternative solution. As a result of a mature and tested incident response program, coupled with a 3rd -party vendor management program, MidCo’s operations barely missed a beat. It was truly a testament to a well prepared and operational information security program.
In the context of the NIST Cyber Security Framework, MidCo accomplished the following:
- Identify the risks and threats in advance
- Took proactive steps to Protect themselves with proactive compensating controls and Detect a breach
- Upon Detecting the breach, follow previously developed plans and processes to Respond and contain the breach
- Recover effectively, to sustain operations, minimizing impact on availability for MidCo and their clients
While this breach incident proved to be a win for MidCo, SupplierCo didn’t fare so well. Many clients of SupplierCo appear to have taken similar steps as MidCo to isolate themselves from SupplierCo’s breach and move to alternative vendors. By the Tuesday following the weekend of the breach, SupplierCo was out of business. Their 50-staff team was no longer employed by SupplierCo. 20 years of hard work, growth and on-going operations was destroyed within days.
The implications of this case study are self-evident. The risks from a cyber security incident to a small business are potentially catastrophic. The investment in a comprehensive information security program can make the difference between an inconvenience, a significant customer incident, or even business viability. As a business community, we can no longer sustain the “I’m too small to be a cyber security target”, or “It won’t happen to me” mindset.
For MidCo, the incident represented “the good” outcome of an assume breach scenario. For SupplierCo, it was not just “bad”, but “ugly”.