On Dec. 11, 2021, Kronos, a workforce management company that services over 40 million people in over 100 countries, received a rude awakening when it realized its Kronos Private Cloud was compromised by a ransomware attack. This was just the beginning of a series of events to follow. Still to this day, millions of employees are short hundreds or even thousands of dollars as the Kronos software fails to reconcile following the attack.
But by understanding the impact of this ransomware attack, and the methods behind it, companies can better plan and tighten their cybersecurity protection efforts to prevent or minimize the effects of such attacks in the future.
How the Kronos Ransomware Attack Happened
Like many other companies that have suffered ransomware attacks in recent years, Kronos has been sparse on the details. Its press release simply states it became aware of "unusual activity impacting UKG solutions using Kronos Private Cloud" and "took immediate action" and determined it was a ransomware attack.
In ransomware attacks, computer systems become infected with malicious software that locks or encrypts access to files or data until a ransom is paid. But these ransoms can be quite steep and there's no guarantee that access will be returned. In the case of Kronos, there are reports that the ransom was paid, yet it took over a month before the system was fully restored and even longer for customers to try to reconcile their data in the aftermath.
Ransomware can spread in a variety of ways, including through phishing emails or from visiting an infected website. And with the threat landscape constantly evolving, new methods of infection are emerging, such as Web server exploitation. In general, the strategy of bad actors is to target the weakest link. And often that weakest link is human — i.e., it's Jesse in finance who was fooled by spam and clicked the wrong link.
In the case of Kronos, we may not know exactly how the breach occurred, but the impact was felt far and wide. Not only did it harm the finances and reputation of Kronos itself, but it did significant harm to all the businesses and organizations that relied on Kronos as a third-party vendor.
Kronos is used by tens of thousands of different companies and organizations across multiple sectors for tracking work hours and issuing paychecks. The attack in question affected 2,000 of those businesses, and it happened during one of the most chaotic times of the year — in December, when bonuses tend to be due and when employees really count on their paychecks being dependable.
Just imagine how much of a mess your business would be in if all employee payroll data went missing for weeks. Companies had to try to create temporary manual workarounds, and many employees missed paychecks over the holidays. Then once the system was back online, there was the job of entering that manual data and reconciling records. This was costly in financial terms as well as in terms of time and morale.
Note how the impact of this attack didn't just hurt Kronos, but the many businesses that relied on Kronos software, not to mention the employees of those businesses.
This is a prime example of third-party risk.
As much as your company might have all of its cybersecurity ducks in a row, your company is still at risk if you rely on a vendor that has security gaps. Protecting your organization from a ransomware attack similar to the one that happened to Kronos means going beyond just protecting your organization from malware. You must ensure that all vendors you rely on are accurately assessed for security risks as well.
Managing Third-Party Risk
To help remove third-party risks, and keep you from experiencing a similar ransomware attack to Kronos, here are the key steps to understanding and managing your third-party risks:
Step 1: Identify your vendors: You need to know who all your vendors are before you can perform a risk analysis. For some organizations, the list may be small. For others, it can take a while to track down and catalog all vendors.
Step 2: Analyze risk for each vendor: Assess the security posture of each vendor and determine the relative risk they pose to your critical operations and infrastructure.
Step 3: Prioritize vendors based on risk: Once you understand the risk associated with each vendor, you can categorize vendors based on their overall importance to your business and any potential threats they pose. This will help you address the most critical issues first or determine where a shift in vendor prioritization would be more beneficial.
Step 4: Monitor continuously: Just checking in with each vendor once is not enough. With all businesses these days, technology and configurations are constantly evolving, as is the threat landscape. Continuous monitoring of third-party risk will alert you if something changes and enable you to act accordingly.
Cybersecurity threats will always be top of mind as the threat landscape evolves and cybercriminals use new attack vectors. However, staying ahead of these threats with proper third-party risk management, vendor security assessments, and identifying the security posture of your own business will help to prevent you from being the next headline news of a ransomware attack victim.