A hack targeting software made by Kaseya Ltd. shows how damaging supply chain attacks can be for small and medium-sized businesses that often outsource their information technology support.
Rather than maintaining an in-house IT function, these businesses usually hire consultants known as managed service providers. Kaseya makes software that the service providers use, and that allowed the cyberattack to ripple through the IT supply chain.
“The way this attack has played out really demonstrates the particular challenges for small and medium-sized businesses,” said April Falcon Doss, executive director of the Georgetown Institute for Technology Law and Policy. Doss is a former associate general counsel at the U.S. National Security Agency.
Smaller companies that rely on IT service providers could be more heavily impacted by the costs of a hack, compared to larger companies with bigger budgets, she said.
Businesses that are victims of the attack will have to cope with the costs of investigating and remedying any damage done. They’ll have to determine whether personal information was stolen, which would trigger regulatory obligations to notify people.
The attack is also likely to bring legal scrutiny to the contracts held between Kaseya and IT service providers, as well as contracts between the providers and their end customers. Kaseya and the service providers could be sued for breaching their contracts.
While the extent of the hack isn’t fully known, about 30 IT service providers and more than 1,000 businesses have been affected by it, according to the cybersecurity firm Huntress Labs Inc.
“There’s nobody that’s too small to be attacked,” said Bryson Bort, founder and CEO of cybersecurity company Scythe. “And as supply chain attacks like this show, a whole bunch of those small companies can be swept into the same net.”
Small and medium-sized businesses are often resource-strapped and don’t usually have the time or money to create comprehensive IT and security programs, said Bob Cattanach, a data security and privacy partner at Dorsey & Whitney LLP in Minneapolis.
But they can and should practice vendor due diligence, looking at those companies’ security practices and track records, he said. Even companies with limited resources should look into cyber insurance to help cover the costs of an attack, he said, but that ultimately may not be feasible.
“The good news is it’s more widely available,” Cattanach said. “But underwriting standards are still kind of spotty and getting more expensive with each hack that happens.”
In the wake of the Kaseya attack, businesses are likely to take another look at their contracts with IT service providers, while the providers look at their contracts with software makers.
“Writing clear contracts, on responsibility and accountability, that’s very important for small and medium-sized businesses,” said Kelvin Coleman, executive director of the National Cyber Security Alliance. “That’s going to force these software providers to cover their tracks in selling these products because they know they’re on the line if something happens.”
The latest software supply chain hit comes after hackers attacked software from SolarWinds Corp., with ripple effects for a range of victims, including U.S. government agencies and private businesses. A recent hack of
For many small businesses that may already be struggling financially, worrying about their own cybersecurity on top of the cybersecurity of their IT vendors is a tall order, said Meg King, director of the science and technology innovation program at the Wilson Center, a Washington think tank.
“These attacks can be totally crippling for small businesses,” King said. “It shouldn’t have to be like this.”