Just before Christmas news broke of a global hacking campaign targeting outsourced IT service providers, or managed service providers (MSPs), to obtain commercial advantage by stealing customer information.
The Federal Government’s Cyber Security Centre (ACSC) has stated that a number of Australian MSPs are known to have been compromised and more may be. Head of the ACSC Alastair MacGibbon says nine global service providers, including Hewlett Packard Enterprise and IBM, are among the victims of the APT10 group.
The cyber espionage operation, which also goes by a number of other names, was revealed to be working on behalf of the Chinese Ministry of State Security in the 2017 PwC Operation Cloud Hopper report produced in conjunction with BAE Systems and the United Kingdom's National Cyber Security.
The campaign is focused on MSPs’ customers’ commercial intellectual property rather than personal information, but the implications for Australian businesses and the economy are serious and far reaching.
The ACSC has outlined practical advice for MSPs and their clients to limit their exposure and protect their information. This includes essential components that should be built into service agreement contracts, as well as actions for achieving security.
What to do STAT
Organisations that use MSPs should ask their providers these 6 key questions formulated by the ACSC to identify priority concerns.
- Are you using best practice guides for cyber security?
The ACSC’s Essential Eight benchmark from its Strategies to Mitigate Cyber Security Incidents are a solid starting point for defending against targeted cyber intrusions.
- Are you regularly assessing the security of your services?
This includes conducting vulnerability assessments, analysis and related activities.
- Are you protecting your access to our systems?
An MSP has privileged access to clients’ systems and this needs to be managed rigorously, especially if managed remotely. Multi-factor authentication is an important component.
- What are you doing to protect users from phishing emails?
There are practical measures your MSP provider can take to reduce the risk of receiving emails that may convince users to enable malware penetration or reveal important credentials.
- Are you backing up our data?
Ascertain the processes your MSP has in place for identifying and backing up your data, and how often these are tested.
- Do you have a protocol for reporting cyber security incidents?
Effective preparation for and handling of a security breach can greatly decrease its impact. Active reporting can improve early response and help identify the need for specialised assistance.
Have the right insurance cover
No organisation can afford to be without cyber security insurance protection. The cost of suspending operations, retrieving data and remediating compromised systems alone can be crippling. In addition, regulatory compliance with Australia’s Notifiable Data Breach Scheme and the General Data Protection Regulation (GDPR) means businesses with local and international connections face increased cyber security incident costs when third parties’ information is concerned.
The good news is that insurance cover and policy wordings are being constantly updated to meet the increasing scope of cyber risk exposures.
Gallagher’s cyber insurance specialists can help businesses identify their operational exposures, assist with formulating a risk management plan and structure insurance cover to protect against the fall-out from a data breach.