Behind the Hack: Why Your Contractor's Cybersecurity Matters to You

On October 8, 2022, Healthcare Management Solutions was hit with a ransomware attack. Because the company is a contractor for the Centers for Medicare & Medicaid Services (CMS), 254,000 Medicare beneficiaries may have had their personal and confidential information breached. The compromised data includes names, addresses, enrollment and premium data, Social Security numbers, and banking information. CMS had to issue new Medicare ID cards and ID numbers to everyone affected, bringing additional expense to the organizations and headache to those they serve.
This breach is a reminder that companies and organizations can’t afford to ignore the cybersecurity of their third-party vendors, contractors, and other partners. Several of the most significant hacks in recent years, such as the massive SolarWinds breach, have been attributed to third-party partners or services. In an era of large and interconnected global supply chains, a breach at a single link can affect many companies and a huge quantity of sensitive information all at once.

We’ve got a hack for that

These are just a few of the reasons NINJIO is focused on supply chain cybersecurity in 2023, with a particular emphasis on third-party cyberthreats. One theme of NINJIO’s cybersecurity awareness training episodes is “verify before you trust” – a principle that should be applied to all forms of access and information sharing, including with third-party partners. For example, refer to season 6, episode 10 (“Verify Before You Trust”), which discusses the risk of cybercriminals hacking into secure systems and altering wiring instructions to steal transfers. Whether these instructions are sent to a client or a third-party vendor, it’s vital to confirm with the intended recipient that account and routing numbers, entity names, and all other sensitive information is aligned with your internal records. Cybersecurity awareness training can help employees recognize when invoices, receipts, and financial documents contain discrepancies, errors, and other red flags.  
Employees need to be particularly wary of communications from contractors and third-party partners that seem out of the ordinary – especially if they’re urgent or coercive in some other way. NINJIO has spent years teaching employees that they should immediately flag suspicious behavior (a form of what we describe as “proactive security awareness”), and a third-party demand to bypass typical procedures or security checks is as red as flags get. In many cases, these demands aren’t coming from the contractor or another third-party partner at all – they’re ransomware attacks launched by cybercriminals who are impersonating an organization you work with. For an example of this type of cyberattack and how employees should respond, see season 6, episode 7 (“See Something, Do Something”). As ransomware attacks including the one on Healthcare Management Solutions and CMS continue to fill the headlines, it’s all the more important for employees to be on their guard against them.  

Renewed focus on an old threat

One of the reasons 90 percent of supply chain professionals are prioritizing visibility technology is the fact that breaches can be caused at any link in the supply chain – including by third-party service providers and vendors. There are many ways third-parties can cause a breach at your company: they might have access to sensitive financial information or customer data, which could be leaked due to poor cyber-hygiene – from a lack of credential security to subpar account authentication protocols. Even with these protocols in place, companies face substantial risks when working with contractors and other third parties. When Uber suffered a hack last year, its security team determined that a contractor’s corporate password had been leaked and published on the dark web after malware was installed on the victim’s device. This allowed a hacker to repeatedly attempt to log in with this password, which sent the contractor a series of two-factor authentication requests – one of which was finally accepted.  
The contractor’s decision to relent after being bombarded with authentication requests is an example of authentication fatigue, another topic we address in our training courses. The main purpose of NINJIO’s engaging, narrative-driven cybersecurity awareness content is to eliminate security fatigue by showing employees that they have the power to defend the company from cyberattacks. NINJIO drives sustainable behavior change because our content keeps employees focused on what they’re learning by being entertaining and relevant.  
Unlike the rudimentary and ineffective once-or-twice-a-year cybersecurity training many companies provide, NINJIO consistently reinforces what employees learn with content that’s regularly updated to account for the latest shifts in the cyberthreat landscape. When cyberattacks like the one on Healthcare Management Solutions and CMS occur, NINJIO can immediately provide hyper-relevant and targeted content to help employees recognize and thwart similar attacks on their own companies. 

Let Us Help You