Chances are you’ve never heard of MOVEit. Sure, you’ve probably been told aggressively to move it along, but I’m not here to walk you through those situations. And no, I didn’t spell that wrong or accidentally hit all caps.
What is IT?
I’m actually referring to Progress Software’s application called “MOVEit.”
MOVEit is a secure file transfer software that is used by a variety of companies. Primary users are financial organizations—think banks, credit unions, brokerages, loan administrators, etc. and educational institutions.
These organizations often have to transfer highly confidential information between systems, subsidiaries, and partner organizations. Because the data transferred typically contains Personally Identifiable Information (“PII”), it must be transferred securely. This is often governed by compliance requirements.
MOVEit is a popular solution that securely transfers this data on behalf of customers. With more than 1,700 software companies and 3.5 million users worldwide relying on its services, MOVEit Transfer is a key player in the managed file transfer ecosystem.
So, you can imagine the issues raised when a security vulnerability in MOVEit was discovered and exploited in late 2022. To make matters worse, IT administrators are either unaware of the danger or too slow in patching it. One estimate notes, “around 1,841 organizations have disclosed breaches, but only 189 of them have specified how many individuals were impacted by the incident. From these detailed disclosures, Emsisoft has found that more than 62 million individuals had their data breached as part of the MOVEit spree.”
You’ve likely heard about the MGM hack that occurred earlier this year. Well, the impact of MOVEit dwarfs that by comparison. As of this writing, over 800 organizations have been victimized by cyber attacks exploiting MOVEit’s vulnerability and as of August 2023, over 60 million individuals have been impacted.
This Time, It’s Personal
As a Solution Engineer for Intelisys, part of my job (and my passion) is keeping up with current cybersecurity threats. I have been tracking the MOVEit story since February and advising many of you about how you can help your customers protect against and overcome the threat.
But in this instance, it got real personal for me about a month ago.
I purchased my first home in August 2022. It was a very exciting time for my family and a big step forward. I knew I didn’t know everything about real estate purchases then. Since then, I have learned that it is a common practice for a lender to sell your home loan to another lender, which happened to us. “Not a big deal,” I thought at the time, “It’s just a different name on the check I write every month.”
As anyone who’s purchased a home knows, there is a lot of research that goes into selecting your initial mortgage lender. At first, I was just annoyed that I had wasted a lot of time, and here I was, contracted with a company I knew nothing about. But still, happens all the time. No big deal.
And then, it happened.
I was listening to a cybersecurity podcast a few weeks later, and lo and behold, I learned that my new lending company was hit by a cyber-attack exploiting the MOVEit vulnerability. Now, my personal information was in the hands of a sophisticated cybersecurity gang.
Worse, I found out from that podcast, not my lender. And even today, they still haven’t formally notified me that they were hit.
My experience reminds me of how many organizations view cybersecurity and risk…”We’ll address it when we have a problem.” What this experience has exposed to me is that I need to tighten down the screws on my family’s cybersecurity posture because we now have the cross hairs right on top of us when in fact, they always were. Even as I write that sentence, I think, “Only a nerd would put it that way.”
What’s Your Opportunity?
You may be thinking, “have I been hit as well?!?” Maybe, and I will address that in the post script.
But what’s really important is the business opportunity this presents for you. Your customers need the impartial advisory services you bring them on this subject. Your starting point is as simple as looking through your book of business, reaching out to your customers in the Financial and Education segments, and simply asking if they are using MOVEit. If the answer is yes, are they aware of the breach, and if they are, have they patched their systems?
This, however, only addresses the symptoms, not the problem. The real problem is the failure to recognize the impacts of “Third Party Risk.” This is also known as the vendor or supply chain risk.
What Is Third Party Risk and How Is It Addressed?
This is a category of risk that examines how a company is impacted by the tools and partners they engage with that they don’t have total control over. For example, suppose your customer hosts customer data in Salesforce. In that case, they expose their business to a data breach if Salesforce suffers a security breach.
Suppose your customer uses secure file transfer software to move sensitive customer data, and that software has a vulnerability. In that case, they are opened up to exploit, which is exactly what happened in the case of MOVEit.
Here’s why it matters: If your customers are not tracking the risk level of third-party associations, they will have no clue where their controls and mitigations need to be tighter.
The good news? Third-party risk management SaaS solutions, combined with advisory services, can help your customers track all vendor relationships, how critical they are, what kind of service they provide you, and due diligence information about the vendor.
This due diligence information could be a copy of their business insurance certification, cybersecurity certifications (like ISO 27001 or SOC II), or internal policies and processes for dealing with a breach. These solutions often include tabletop exercises for your teams to understand how they would react in a cybersecurity incident.
And, you guessed it, all these solutions are available in our supplier portfolio.
What Should I Do Next?
If you feel prepared to converse with your customers about cybersecurity or risk management, call them! If you don’t, contact us, and we will join you and support that conversation. This is a benefit of being a Sales Partner with us: you can access Solution Engineers with this expertise. We welcome the opportunity.
As promised above, I’ve got advice for you if your personal information has been compromised.
- Start here to see if you have been hit.
- Purchase an Identity Protection solution. There are many different ones out there – the primary differentiator I have seen is whether they provide a dedicated agent to assist you if your identity is stolen.
- Freeze your credit and only unfreeze it when you need it. This can be done from any of the three main credit bureau’s websites (Experian, Equifax, and Transunion). This prevents bad actors from taking out loans and credit cards in your name.
- Enable Multifactor Authentication everywhere, but most critically, on your email and online banking accounts.
- Use a password manager. As an IT admin, I have had to deal with 100s of admin-privileged accounts simultaneously, and a password manager has streamlined that incredibly. (make sure MFA is turned on for your password manager!) …and do not use the password manager built into your web browser.
Pay attention to Security Awareness Training! I know it’s lame, and many people find it boring or a waste of time, but there are gems in those programs to remain safe. Don’t throw the baby (Security Awareness Training) out with the bathwater (bad acting in poorly edited educational videos)
Items three through five above are all enterprise solutions we can help source for you or your customers. Instead of number one, you can now source cybersecurity insurance for your customers through our Supplier Portfolio. Reach out to your Business Development Manager or Solutions Engineer for more information, and remember, friends don’t let friends get hacked.
Continued Learning
- 2023 Channel Connect Breakout Sessions Slides at Intelisys University
- Cybersecurity Journey at Intelisys University
- Using Compliance Gaps to Hook Cybersecurity Deals
Continued Reading
- Cybersecurity Insights: Verizon Data Breach Investigations Report
- Breakout Viewpoint: Unlocking New Revenue with Security
Start Marketing