How one cyberattack causes relentless ripple effects
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Rae Cook/Axios
Cybersecurity has a domino effect problem, as hundreds of organizations this year face service disruptions due to a single attack on a third-party vendor.
Why it matters: Even if a company has all the right security practices in place, a small mistake or security flaw at a third-party supplier could still send its business operations into chaos.
Driving the news: CDK Global, a software provider with 15,000 car dealerships in North America as customers, faced back-to-back cyberattacks this week.
- Car dealerships across the country had to turn to pen and paper to process auto repairs and new car sales throughout the week as CDK worked to bring its systems back online.
- "In partnership with third-party experts, we are assessing the impact and providing regular updates to our customers," CDK spokesperson Lisa Finney said in a statement Thursday. "We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible."
Flashback: CDK is the latest victim in a long series of cyberattacks this year that started with just one tech vendor and rippled out to hundreds, if not thousands, of incidents throughout one sector.
- A ransomware attack on Change Healthcare this year left pharmacies scrambling to fill patients' prescriptions and cost health providers as much as $1 billion a day.
- A recent attack that hit several London hospitals, affecting at least 800 planned operations, started when hackers broke into Synnovis, a pathology provider.
Between the lines: Every sector has specialized needs that only a handful of vendors have products to address, creating a concentrated security risk if these specialized vendors face a cyberattack, Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard, told Axios.
- A pharmacist needs a specific tool to process insurance payouts. A water system operator needs tools to monitor chemical treatments. And schools benefit from platforms designed specifically for online learning.
By the numbers: 150 companies account for 90% of the technology products and services that global companies are using in their systems, according to research from SecurityScorecard and McKinsey & Co.
- Among those 150 companies, 87 have a security rating of B or lower based on SecurityScorecard's ratings system.
The big picture: Companies across the board have been facing more hacks and data breaches in recent years — and that growth also means there've been more supply chain cyberattacks.
- Those types of attacks put specialized vendors and their customers at a greater risk of attack, Sherstobitoff said.
- "It's not like these products all of a sudden appeared on the market; they've always been here," Sherstobitoff said. "But the level of cyberattacks are higher than they were five, six, seven years ago in terms of breaching organizations that run that software."
The intrigue: The heightened threat landscape means tech vendors need to do a better job of practicing the cyber basics, Sherstobitoff said.
- Change Healthcare's widespread attack started simply because one key server didn't have multifactor authentication turned on, Andrew Witty, CEO of parent company UnitedHealth Group, told lawmakers in April.
The bottom line: The best defense for customers of these highly concentrated tech vendors is to know which tools they're running in their systems, Sherstobitoff said.
- "If you don't know your third parties, then you have an unknown risk," he said. Then "you're not aware that you and 60% of [the sector] are using that product."
