Cyber Sessions: RIBridges should be a wake-up call for everyone

Jason Albuquerque
Jason Albuquerque

(Editor’s note: This is the 29th installment of a monthly column on the growing number of cyberthreats facing businesses of all sizes and what they can do about it. See previous installments here.)

The recent cyberattack that crippled the state’s critical RIBridges system should serve as an alarming wake-up call for every CEO, board member and business executive. This wasn’t just a systems disruption by a low-grade malicious hacker; it was a comprehensive and sophisticated incident with serious cascading consequences for citizens, the government and the private sector.

Rhode Island FC To Offer Local Businesses Top-Notch Networking Opportunities in 2025

The perfect atmosphere for entertaining clients or hosting employees, The Stadium at Tidewater Landing will…

Learn More

It was a ransomware attack carried out by the Brain Cipher group and it compromised the sensitive personal data of as many as 650,000 people. This included names, addresses, dates of birth, Social Security numbers and possibly bank account information. The breach effectively crippled RIBridges, an online platform used by residents for vital social services such as Medicaid and other essential benefits. The platform is managed by the state’s third-party vendor Deloitte Consulting LLP.

Ransomware is a “new normal” business risk. Brain Cipher is relatively new and aggressive, known for targeting large organizations and causing big disruptions. It’s a highly profitable business model for cybercriminals, and the sophistication of these attacks continues to evolve.

- Advertisement -

This attack clearly underscores the critical role of third-party vendors in an organization’s security posture. Deloitte, which built and managed the RIBridges system, was initially identified as the point of entry for the attack. This highlights a critical vulnerability: in today’s interconnected world, your organization’s security perimeter extends far beyond your own company. Vendors, suppliers and partners represent potential entry points for cybercriminals.

In the Rhode Island case, the involvement of Deloitte shows the reality of the dangers businesses face. While it is yet to be determined through the investigation if Deloitte’s security controls were inadequate, but system vulnerabilities could have provided a straightforward entry point for attackers to gain access to the state’s sensitive data. This emphasizes the need for businesses to go beyond simply assessing a vendor’s financial stability and dive deep into their cybersecurity practices.

Business executives must prioritize third-party risk management. This requires a shift in perspective, moving beyond simply checking boxes for compliance to a more holistic approach that integrates security considerations throughout the entire vendor lifecycle. It includes rigorous due diligence during the vendor selection process, ongoing monitoring and assessment of vendor security controls, and regular communication and collaboration with vendors to address risks.

Effective third-party risk management should involve a multilayered approach that includes detailed supply chain security programs. Implementing robust programs will identify and mitigate risks throughout your entire vendor ecosystem. This can be done by conducting rigorous due diligence on all third-party vendors, including things such as cybersecurity assessments, contract security clauses and ongoing monitoring.

Comprehensive vendor risk assessments must be engrained in every organization’s audit processes. Conducting thorough assessments of vendors’ security programs, controls, and reviews of their security policies and procedures can help determine what risks are presented by doing business, providing access and sharing data with organizations’ third-party vendors.

Contractual safeguards should also be in place, integrating strong security clauses that outline expectations for data security, incident response and compliance with relevant regulations.

By prioritizing third-party risk management and implementing robust security measures within organizations vendor ecosystems, businesses can significantly reduce exposure to cyberthreats and minimize the potential impact.

Data breaches have a profound human cost. Stolen identities, financial damage and the erosion of public trust are some of the potential consequences. In the Rhode Island case, the disruption of essential social services is causing significant strain. For businesses, these types of impacts not only hurt financially but can significantly damage the brand and destroy customer loyalty. Our state’s breach is a stark reminder that cybersecurity is not just an information technology problem. It’s a business imperative, a reputational problem and ultimately, a human problem.

Next month: Cybersecurity needs to speak the language of the business, not the other way around

Jason Albuquerque is the chief operating officer of Pawtucket-based Envision Technology Advisors LLC. You can reach him at www.envisionsuccess.net.

 

No posts to display