Picture the scene:
Sarah, the CISO of Company X, strode towards the CEO’s office, her palms sweaty. Without knocking she forced open the slightly ajar door. "John, we've… we’ve got a problem," Her voice tinged with an urgency that John had never heard before.
"What's the matter?" the CEO responded, after dropping his phone in frustration – it didn’t appear to be connecting to the network properly, and he’d been having problems all morning.
The words flew out of Sarah’s mouth. "We've lost all our data stored on our third-party cloud provider. It's gone. Vanished!"
John sighed in annoyance and pinched his nose. "How long until they can restore back-ups?”
“They… they aren’t coming back. All the back-ups are lost too.” Sarah’s mouth opened to say more, but nothing came out.
“You're kidding, right?" John's face turned ashen.
"I wish I were. They were hit by a ransomware attack and can’t recover our data. We're in a crisis."
Maybe I won’t give up my day job to become the next hotshot thriller writer just yet.
Melodramatic though it sounds, the dialogue above is not too far from the last few weeks’ reality for companies that relied on AzeroCloud and CloudNordic. The sister company cloud providers suffered a devastating ransomware attack, leaving their customers stranded without their data.
Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series:
What went wrong?
The attackers exploited a vulnerability during a data centre migration process. The companies' internal networks had been compromised by ransomware. During the migration, backups that had been segregated were connected to the rest of the network – allowing the threat actors to encrypt not just the primary servers, but all of the backups as well.
The result? Loss of all customer sites. Martin Haslund Johansson, director of both hosting companies, explained in an interview that he did not expect “any customers left when this is over”. The companies stated that they ‘could not’ pay the required ransom. While the cloud providers attempted to recreate domains for their customers to use, the data within those domains had been lost.
In what may sound like a weird twist, the threat actors didn’t extract the data before encrypting it – meaning that even if they wanted to, affected customers couldn’t pursue an alternate solution of trying to pay the threat actors directly.
The risk of third-party vendors
The incident serves as a stark reminder of the risks associated with third-party vendors, particularly those that manage or store data on your behalf. It's not just about choosing a vendor; it's about both conducting thorough due diligence, and risk assessments over how your data is stored and used.
That due diligence should include security audits, compliance checks and other assurance over the vendors to ensure they comply with industry standards and regulations.
Exploring scenarios can be powerful. While this is an extreme scenario, it is a plausible one. For each of your material service providers, consider whether their failure would have a catastrophic effect on your organisation. If the answer is yes, explore other contingencies. This might include using other cloud providers, or conducting your own, less regular backups. The impact of an event might still be huge – but perhaps not business ending.
Monitoring for vendor change
This incident also highlights the importance of managing risk in change, including changes implemented by vendors. Even if AzeroCloud and CloudNordic had the expected controls for their standard operating environment (which is unlikely given the initial compromise), in this case it was a particular migration that was the catalyst.
The ideal scenario is for material service providers to notify you when they are implementing a change that might affect you. While it may not be practical to expect assurance over every change, these are moments where it might be prudent to verify that the change itself is well planned, risks have been identified, and contingency plans are in place.
Conclusions and next steps: take action now!
The AzeroCloud and NordicCloud incident is a wake-up call for all businesses that cloud services – or any service provider - aren’t infallible.
Don't wait for a disaster to strike. Consider the scenarios where third-party failures could destroy your organisation, and implement an integrated approach to vendor management, controls assurance business continuity that improves your resilience.
If you want to know more about how to assess your vendor risk, download our Vendor Risk Management eBook for a detailed step-by-step guide of to build an effective vendor risk management program.
Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series: