Hackers to target managed IT services suppliers

Stuart Poole-Robb, chief executive of business intelligence and cyber security adviser KCS Group Europe, warns about protecting against weak links in the supply chain

The managed IT services market is worth over $142bn per annum and is set to grow dramatically in European countries such as the UK, according to research from MarketsandMarkets.

But although companies can make savings of up to 40% by outsourcing emails and other data services to a third-party, there can be huge unforeseen costs as a direct result of compromised security.

While security-minded organisations now routinely screen their own staff, particularly those with access to sensitive data, they frequently have no idea exactly who has control of their IT system at any given moment.

There is now growing evidence that some managed service providers have security vetting standards well below those of their clients. For example, an international charitable foundation recently hired a managed IT services provider only to discover some of its staff were actively attempting to sabotage the charitable foundations operations.

In this case, the motive for compromising the client's IT was largely idealistic. The foundation's operations included perfectly legal testing of products on animals. Unbeknown to the foundation, some of the IT staff appointed by the managed services provider were passionate animal rights activists who were planning to sabotage the foundation's IT system and compromise its research data and client information.

But there are motives other than idealism which can tempt managed services engineers to compromise their clients' cyber security. As might be expected, the largest adopter of managed IT services is the ICT sector. While few IT companies are directly involved in the testing of animals, most carry mission critical data on their systems in the form of intellectual property and confidential client information.

Other sectors that are keen to use managed IT services include sectors such as banking, which are already hard hit by cyber-crime. Organised criminals are waiting to exploit any weakness in a financial institution's cyber defences. As KCS Group Europe’s research shows, 81% of malicious cyber-attacks come from within an organisation, using a bank's own staff has long been a useful entry point for cyber criminals.

But by outsourcing their day-to-day ICT to third parties, organisations such as ICT companies and banks are opening a potential back door to cyber criminals. Rather than pass through a relatively stringent screening process to be employed by the target company, cyber criminals find it simpler to infiltrate a third party services supplier. From the cyber criminal's perspective, managed service providers are the ideal third parties to infiltrate. At a managed IT services company even a relatively new and junior level member of staff can gain easily access to a client's most valuable data.

Once the hack has been completed, the target organisation is then open to blackmail, espionage and terrorism. The usual approach is to demand a high ransom from the target company. Refusal to pay means running the risk of the cyber-criminal inflicting the maximum possible damage. This can simply mean wiping huge swathes of mission critical data or using confidential customer information to compromise the company's key clients.

In the US, where the cost of cyber-crime is estimated to be running into over a trillion dollars a year, companies unwilling or unable to meet the hackers' ransom demands are being forced into liquidation. A recent example is New Jersey based code-hosting and project management services provider CodeSpaces being forced to close its operations following a malicious cyber-attack.

The strategy of the attack was one which is becoming increasingly common and took place over only 12 hours. It began with what appeared to be an old-fashioned Distributed Denial of Services (DDoS) attack. But while CodeSpaces' IT department was coping with this frontal cyber-attack, the hackers took advantage of the diversion to install malware on the organisation's system. When CodeSpaces were too slow in meeting the hackers's ransom demands, they were forced to stand powerless as their customer data was irrevocably wiped, leaving the organisation with no alternative but to immediately cease trading.

KCS Group Europe is already seeing evidence of this type of attack in the UK, where diversionary strategies are used as a smokescreen for the real attack in the form of a more subtle malware attack. With UK cybercrime losses already being measured in the tens of billions of pounds Sterling, British companies should now be bracing themselves for a wave of similar strategic attacks over the coming months.

Those firms which are contemplating using managed IT services should take immediate action to ensure that their services provider has the same stringent policies regarding its information technology and information security policies as its own organisation.

Organised cyber-criminal gangs and foreign governments are now preparing a full-scale assault on UK companies of all sizes. While recent hacks on big players like eBay may grab the headlines, it is small-to-medium sized enterprises (SMEs) who have most to lose from cyber-attacks. As with CodeSpaces, a big enough ransom demand or a malicious attack on their infrastructure can force them out of business.

But the most potentially damaging attack for UK Plc may go undetected for months - or even years. Countries such as China now have literally regiments of highly trained hackers - effectively 21st Century cyber warriors - whose mission is to hack corporate IT systems in countries such as the UK.

Many companies mistakenly believe that, if their own organisation does not have any information on its database which is very obviously a state secret that they will be of no interest to the hacker. But cyber espionage has been increasingly subtle over the last few years and foreign powers now prefer to use third or even fourth parties such as managed IT services providers as technological or state secrets.

A European power supply company recently discovered that its own database had been used to infiltrate one of its clients. The client was a nuclear defence supplier and it transpired that for around nine months the Chinese malware had been sitting on the defence contractor's system and that a foreign power had total access to all its new technologies.

Current levels of cyber-crime and digital industrial espionage are now becoming so sophisticated and frequent that thorough screening not only of internal staff but also that of service providers is now not only crucial but a necessity.

Stuart Poole-Robb is chief executive of business intelligence and cyber security adviser KCS Group Europe.

Read more on Identity Management Solutions and Services