Instead of accepting accountability, a global law firm caught with its pants down blamed its vendor instead.
This week, global law firm, Jones Day, suffered a breach, and hackers had successfully stolen files from the firm and posted them on the dark web.
However, the law firm has disputed it was their network that was breached—claiming that a file-sharing company that they had used was recently compromised.
Reminiscent of the case of Singtel’s breach last week, what lessons can be gleaned from this cybersecurity faux pas? Principal security consultant Tim Mackey of Synopsys noted that modern business is based on an ecosystem of technology providers that form a digital supply chain. Compromising a business is then a matter of identifying the weakest link and accessing the data that it has on the business and its clients.
“While it is traumatic for any business leader to find themselves in the press for a data breach, the incident represents an opportunity (that hackers took advantage of). When a breach occurs, it’s the result of an exploitable weakness in the system and ecosystem. Rarely is it only a single weakness that leads to data being stolen. It’s the cybercriminals who decide the rules of their attack, and those rules are based in part upon the data they encounter and the tools available to them,” Mackey said.
The weakness that he alluded to could be an unpatched vulnerability, misconfiguration, compromised credentials, or any number of other issues—but ultimately, putting the blame of the file-sharing company may not be good optics.
“Reputational damage is inevitable following a cyberattack, and one way to rebuild trust is to be transparent about the nature of the attack, but also the tactics used. Not only does such transparency rebuild client trust, but it also can serve as a warning to other businesses that might have similar ‘best practices’ to those that were exploited and who have not yet been compromised,” hinted Mackey.