Connect with us

Hi, what are you looking for?


Endpoint Security

MOVEit: Testing the Limits of Supply Chain Security

The need for cyber resilience arises from the growing realization that traditional security measures are no longer enough to protect systems, data, and the network from compromise.

MOVEit hack impact

Since late last month, a Russian cyber-extortion gang has been exploiting a flaw in a widely used software known as MOVEit. The program is used by many organizations to securely transfer data and share files. Meanwhile, hundreds of commercial businesses (e.g., BBC, Shell, British Airways, Boots, Zellis) and government agencies (e.g., U.S. Department of Energy, the Louisiana Office of Motor Vehicles, the Oregon Department of Transportation, the Minnesota Department of Education, the Novia Scotia government) confirmed being impacted by the attack. As Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) pointed out, unlike the stealthy SolarWinds hacking campaign, the MOVEit attack was relatively superficial and caught quickly. However, it highlights how vulnerable organizations remain to cyberattacks even after years of investments to improve security postures. This begs the question: are our existing cybersecurity practices really optimized for today’s dynamic threat landscape?

The MOVEit zero-day attack seems to affirm the White House’s National Cybersecurity Strategy’s call to shift liability to organizations that fail to make reasonable precautions to secure their software. The strategy acknowledges the fact that “poor software security greatly increases systemic risk across the digital ecosystem and leaves American citizens bearing the ultimate cost.” A special focus of the strategy is on software developed by unvetted third parties that is embedded into commonly used programs, potentially allowing hackers to exploit flaws. Whether the National Cybersecurity Strategy will have any impact that can help mitigate the exploitation of software vulnerabilities such as MOVEit remains to be seen.

Remember that the Biden Administration’s National Cybersecurity Strategy is not an executive order but a plan on how to shape a more consistent approach to cybersecurity at the national level. Execution of the strategy would require passage through Congress. Given the current deep political division, getting the necessary buy-in from both parties will be challenging. It is likely that the ambitious plans will initially be applied to critical industries that the government has authority over. This can be done by setting standards within these sectors and enforcing specific procurement requirements and security standards across applicable federal agencies. But even in those cases, it can take years for those rules to take effect.  

Meanwhile, we have to acknowledge that spending your way to a secure state is costly, builds a false sense of security – and simply doesn’t work. Instead of exclusively focusing resources on preventing an attack, it’s important to develop a plan to mitigate the impact when a successful attack occurs. Forward-thinking organizations are adopting a new strategy to cope with today’s increased cyber threats, called cyber resilience. ​

The need for cyber resilience arises from the growing realization that traditional security measures are no longer enough to protect systems, data, and the network from compromise. The objective of cyber resilience is to ensure that an adverse cyber event, whether intentional or unintentional, does not negatively impact the confidentiality, integrity, and availability of an organization’s business operation.

A cyber resilience strategy is vital for business continuity and can provide a range of benefits prior, during, and after a cyberattack, such as:

  • Enhanced Security Posture: Cyber resilience not only helps with responding to and surviving an attack. It can also help an organization develop strategies to improve IT governance, improve security across critical assets, expand data protection efforts, and minimize human error.
  • Reduced Financial Loss: According to the IBM Cost of a Data Breach Report 2022, the average cost of a data breach is now $4.35 million globally. In addition to financial costs, the reputational impact of data breaches is increasing due to the introduction of general data protection laws and stringent data breach notification requirements. Cyber resilience can help minimize recovery costs by accelerating time-to-remediation.
  • Improved Compliance Posture: Many industry standards, government regulations, and data privacy laws nowadays propagate cyber resilience.
  • Enhanced IT Productivity: One of the understated benefits of cyber resilience is its ability to improve the daily IT operations, including threat response and ensuring day-to-day operations run smoothly.
  • Heightened Customer Trust: Implementing a cyber resilience strategy helps improve trust as it enhances the chances of responding to and surviving a cyber-attack, minimizing the negative impact on an organization’s customer relationships.
  • Increased Competitive Edge: Cyber resilience provides organizations a competitive advantage over companies without it.

As we wait for the National Cybersecurity Strategy to come to maturity, organizations must augment their current cybersecurity strategy with a focus on cyber resilience. Most cyber resilience initiatives leverage or enhance a variety of cybersecurity measures. Both are most effective when applied in concert.

Advertisement. Scroll to continue reading.
Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...