In June, a popular file-sharing software, MOVEit, was hacked by a Russia-linked cybercrime group called Cl0p. Many big-name companies used this software, including Shell, Sony, several large law firms, and a number of US federal agencies including the Department of Health. Security Magazine reported that there are currently 138 known companies impacted by the breach, resulting in compromised personal information for more than 15 million people. As the investigation continues, more are expected to emerge.
You may read that list of companies and think, “I’m just a small business compared to these guys – that won’t happen to me”. What you may not know is many of these companies have millions in their cyber security budget and it still happened to them. It did not happen because they were ignoring the importance of cyber security, but because of a piece of software they use to run their business.
Ironically, MOVEit is advertised as a tool you can use to “securely share files across the enterprise and globally,” “reduce the risk of data loss” and “assure regulatory compliance”. This software was exploited by a method called a zero-day attack. This type of attack occurs when there is a flaw in the application that creates a gap in security and has no available patch or defense, because the software maker doesn’t know it exists. Cybercriminals will rapidly release malware to exploit the vulnerability before the software maker can patch it, essentially giving them “zero days” to respond.
Zero-Day attacks are difficult to prevent and can quickly and easily ruin smaller businesses, making these types of attacks extremely dangerous.
Depending on the cyber criminal’s motives, the stolen data can be deleted, held for ransom or sold on the dark web. If you are lucky enough to recover your data, the chances that all your data will be recovered are very slim. Even after paying a ransom, companies find that data is still missing. Not to mention, you may still pay thousands or more in fines and lawsuits, lose money from downtime, and end up with a damaged reputation that could cause you to lose clients. In MOVEit’s case, the cybercrime group claims their motivation was purely financial, and has allegedly deleted data obtained from government agencies, as they were not the intended targets.
What does this mean for small businesses?
For starters, it highlights the harsh reality that cyber security isn’t just for big businesses and government agencies. Small businesses can actually be more vulnerable to cyber-attacks since they often dedicate fewer resources to protection. It also goes to show that even though you may not be the intended target, it’s still possible to get caught in the middle of a cyberattack, as we saw with Cl0p and the government agencies.
It also means that even if your organization is secure, the third-party vendors you work with and the tools you choose to use in your business still pose potential risks. Most of MOVEit’s customers that were affected likely had strong cyber security measures in place. Even though it was no direct fault of their own, at the end of the day, those companies must go back to their clients, disclose what happened and take the verbal, legal and financial beating that comes with a data breach.
The MOVEit hack serves as a grim reminder of the critical importance of cyber security for businesses of all sizes. In the face of an increasingly sophisticated and fast-moving cyberthreat landscape, businesses cannot afford to ignore these risks. Cyber security must be an ongoing effort, involving regular assessments, updates, monitoring, training and more. As this terrible incident shows, a single vulnerability can lead to a catastrophic breach with severe implications for a business and its customers.
Cyber security isn’t just a recommendation – it’s a critical piece for businesses operating in this digital age.
If you have ANY concerns about your own business or simply want to have a second set of eyes examine your network for vulnerabilities, we offer a FREE Cyber Security Risk Assessment.
Click here to schedule a quick consultation to discuss your current situation and get an assessment on the schedule.
