Approximately two years ago Clorox, the $15 billion CPG giant, was hit with a ransomware attack that tallied $380 million in downtime and remediation costs. Beyond the monetary and reputational pain, Clorox retailers and supply chain partners were also punished in the form of inventory losses.
Recently, Clorox felt the need to revisit the hack by throwing Cognizant, a provider of technology management services, under the bus. Clorox described a social engineering campaign carried out by the notorious Scattered Spider group on an IT Help Desk operated by Cognizant for Clorox.
Clorox made it quite clear that Cognizant made it way too easy for the bad guys to steal login credentials and how, “Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques … Cognizant handed the credentials right over."
Cognizant responded by stating, "It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed."
The Real Issues
This situation underscores one of the biggest obstacles facing cybersecurity improvement in the industrial sector – an insistence on figuring out who to blame. The fact that we stay fixated on this point is why manufacturing has become the most highly targeted sector by cybercriminals.
The human factor is far and away the biggest vulnerability facing any enterprise when it comes to cybersecurity – and it is written all over this attack.
Whether or not Cognizant was simply fulfilling their responsibilities as outlined in their agreement, or should have taken more initiative with their validation processes obviously needs to be part of this hack’s assessment, but Clorox seems to be making it the focal point.
Clorox released the transcripts of calls between the hackers and the help desk employees. After reviewing them, it would be hard to overlook the lack of qualifying questions that were used before handing over new passwords. However, the nature of the conversations also indicates a well-informed hacker using a vocabulary curated from previous social engineering campaigns—deceptive cyberattacks that trick individuals into providing confidential information.
Again, it’s not about blame. Without consistent employee training focused on new and evolving hacker scams, employees will continue to provide access to the crown jewels, piece by piece, until the blackhats have enough to carry out their plan. In this instance, it looks like Clorox employees handed over the ingredients and Cognizant workers provided access to the oven.
It’s worth noting that the network Cognizant provided access to (or the oven if you want to follow the analogy) is not one they were charged with managing. This leads to a second takeaway.
Clorox, just like every other manufacturer, needs to take a closer look at access privileges and segmentation practices. If credentials that can be reset through a help desk are enough to create nationwide supply chain issues and more than $300 million in damage, the company has bigger issues than vendor performance. Again, Clorox is not alone. This is a common challenge facing the most evolved cybersecurity experts, but resolution requires focusing on solutions, not drudging up old problems.
Finally, this hack reinforces the need to have a working partnership with any vender or managed service provider, and vice versa. Empowering a managed service partner (MSP) with something as important as login credentials requires consistent communication. Clorox has no excuse for being unaware of Cognizant’s processes during this time period. And Cognizant needs to update its practices to mesh with current market conditions, regardless of the contract language.
The reality of this situation is that while assessing blame, two years after the fact, might be the best strategy for shifting accountability and making the next board meeting feel less like a witch hunt, all that really does is delay solutions.
My advice would be to ditch the lawsuit and funnel those legal costs into employee training on social engineering, better internal credential and identify management strategies, and developing stronger approaches to working collectively with outside vendors.
Over the last five years manufacturing has improved its ability to protect data, assets and people exponentially. Much of this is the result of sharing information and focusing on results, not prioritizing blame or refusing to acknowledge root cause deficiencies.
