Hundreds of UK companies are likely to have been impacted by the hack with National Cyber Security Centre issuing warning
AJ Thompson, CCO Northdoor plc
Hundreds of UK companies have been compromised as part of a global hack, thought to originate in China. The UK’s National Cyber Security Centre has issued warnings about the attack and is still assessing the likely impact for UK businesses. However, the seriousness of the situation has meant that other countries, such as Norway, have already been actively scanning for at-risk companies and warning them directly.
The attack was first announced at the beginning of March by Microsoft which immediately blamed a Chinese Government-backed hacking group called Hafnium. More worryingly it seems that the hacking group was using four never-before-seen hacking techniques. This has meant that they were able to successfully target Microsoft Exchange Server, which is used by large corporations and public-sector organisations across the world.
The impact of this hack could be huge. ESET, the cyber-security company, has claimed that as many as 10 different hacking groups are now using these new methods to target companies in 115 different countries.
Patching and updates
The race is now on for all companies, and particularly those affected, to install the patches issued by Microsoft. Each company will also need to go through their systems carefully to ensure that there have been no recent compromises and that hackers are not lurking somewhere on their servers.
The issuing of patches and updates to counter-act recent hacks is common place and a way for companies to ensure that they are protected as much as possible against a constantly evolving and increasingly sophisticated cybercriminal.
The main issue is that, frankly, many companies do not install the patches or updates. A 2020 report from Bitdefender found that 64 percent of all unpatched vulnerabilities during the first half of 2020 involved bugs dating from 2018 and that a vast majority of organisations still had unpatched vulnerabilities that were identified anywhere between 2002 and 2018.
Why are companies not patching?
This research highlights what is a key issue for many companies and a reason why many are compromised with such apparent ease. It is clear that is not just the most recent and most sophisticated attacks that are getting through, but actually vulnerabilities that date back to the early 2000’s. So, why are companies not implementing patches or running updates?
For many, applying patches can be time-consuming and frankly, unrewarding. There is also a tendency from some companies to fear an update or patch and the possible impact it may have on their systems. Equally for smaller companies, without a large IT team, it might simply be a resource issue. With a smaller team or even an individual, the to do list is often long with patching and updates commonly falling down the list of priorities, with customer facing changes or internal systems considered more important.
Further problems for SMEs
Issues such as the changes to the IR35 tax regime may see private sector companies further struggle with patching and updates. With decisions being made on the future employment status of IT contractors, some firms may lose the only support they have in place, meaning that patching and updates is not just falling down the list, but there is no list at all.
Further complications to patching and updates comes with third parties and supply chains. A number of high profile hacks over the course of the last year have come about, not as a direct attack on the victim, but coming in through the ‘back-door’ via vulnerabilities in partners’ systems. Whilst ensuring that your own defences are up-to-date is important, there is increasing pressure on companies to also gain visibility into their supply chain’s vulnerabilities.
Managed service to the rescue
With companies not patching for years at a time, many are exposed to not just the most recent threats, but those that have been around for years. With a pressure on resource, budget and time in most companies, patching too often falls down the list.
The Exchange hack, which has the potential to impact so many companies is now being exploited by multiple hacking gangs and the only way to ensure that you are secure is to implement the patch as soon as possible. For those companies, without a large IT team this seems like a potentially daunting task. Many are turning to managed services consultancies to help run their day-to-day IT, which gives them peace of mind that all patches are implemented and updates installed. It also means that any potential hack is dealt with immediately before it has an impact on the company or customers.
Identifying potential vulnerabilities in third parties and across supply chains is obviously more complicated. However, new AI backed solutions are able to provide companies a 360°view of all potential vulnerabilities across their supply chain. With so many new, sophisticated forms of attack, companies need to ensure that all vulnerabilities are closed, whether it is their internal systems and ensuring patches are up-to-date, or across their entire supply chain.