Getting smacked with a crippling ransomware variant is never a walk in the park.
But getting hit with a devastating attack right before the holiday season is especially troublesome–and even more so when the attacked entity is an HR services provider, serving over 10,000 organizations across the globe.
On December 13, 2021, popular HR management provider Kronos, also known as Ultimate Kronos Group (UKG), disclosed that their Kronos Workforce Central platform, part of the Kronos Public Cloud portion of their services, had fallen victim to a massive ransomware attack. The ransomware has blocked users from accessing the platform and the HR data inside and has continued to persist for many into the new year.
Kronos is widely used in the public sector by government agencies, healthcare providers, and law enforcement groups, but many others like Tesla, Puma, and various universities across the U.S. also leverage the platform. The ongoing attack has made it impossible to use the functions for payments, time off requests, scheduling, checking benefits, and many other important capabilities.
HR teams at affected companies have scrambled to contain the impact, with customers resorting to issuing paper paychecks and manual time tracking, some of which haven’t been accurate. According to executive VP Bob Huges, restoring services would take up to a few weeks and representatives from the company have advised users to “evaluate and implement alternative business continuity protocols related to the affected UKG solutions.”
When it comes to “implementing alternative business continuity protocols,” achieving Compliance milestones is typically viewed as an important–and often required–element. Meeting SOC 2, ISO 27001, PCI-DSS, and other Compliance frameworks is seen as a powerful indicator of a company’s commitment to upholding security measures and many organizations speculate that being compliant ensures the business is optimally protected.
With a SOC 2 report or ISO certificate in hand, companies assume they can feel confident in their chosen partners and vendors, and that they are doing their part to ensure security best practices are maintained. But while being compliant is certainly a critical part of implementing alternative continuity protocols, as we have seen, on their own, these certificates and reports aren’t enough.
Take the massive hack at retail giant Target in 2014. That same year, the company earned PCI-DSS certification. In theory, being covered by PCI certification should have served as a powerful preventative measure, protecting their POS (Point of Sales) from the eventual threat. In the case of Kronos, the company has stated that they have SOC 2 in place, or at the very least, had SOC 2 certification in the recent past. They also note the implementation of a data disaster recovery plan, which should have served to soften the blow dealt by the powerful attack by enabling a safe, sound, and quick recovery.
So if cloud-based companies like Kronos have these Compliance efforts in order, what is going wrong?
The misconception starts with thinking of Compliance certifications and reports as siloed, one-off efforts. The typical model to Compliance may help organizations gain certificates and reports–and therefore credibility (whether it’s deserved or not)–but it lacks an underlying continuity between efforts. This typical stance views Compliance activities as little more than boxes to be checked off. Further, it doesn't do much to support security posture and does even less to establish and manage controls and policies that could be used to enhance maturity.
The key to harnessing Compliance to its fullest lies in building mature, integrated programs, wherein Compliance serves as a guide to achieving better security. A mature Compliance Program is all about being continuously prepared with the right controls, which evolve as the company grows. It also has the proper security gates embedded within processes and protocols to reflect those improving controls.
SOC 2 for instance is scope-based, meaning that when it comes to system recovery controls, only those systems inside the scope will be tested. Moreover, the fact that those tests are often performed on a very basic level, i.e., just to mark a box in the checklist, instead of for the purposes of trying to learn from the activities and consequently improve upon them, the system is left untested and unverified, regarded as too complicated to "invest in" for a SOC 2 test. So, while system recovery controls in theory play a key part in frameworks like SOC 2, companies lacking a mature Compliance program often fail to take them seriously.
On the contrary, when an entity learns from the SOC 2 process that system recovery is important for data availability, and leverages that understanding to build a robust, well-defined, and frequently-tested process, it can thus easily recover the lost data, drastically reducing the impact of the attack. In the case of Kronos, this particular attack could have been thwarted with a robust, mature approach to addressing data recovery controls in this way.
It is still too early to know what personal information, if any, has been exposed in the hack and much is still to be disclosed around the specific cause and any monetary sums requested as part of the ransom.
Still, this particular case highlights the critical nature of ransomware attacks on third parties and how this impacts the end users who may not have been directly hacked but will be paying the proverbial price for a very long time to come.
Attacks like the one on Kronos should serve as reminders that “good enough” isn’t actually always enough and meeting one Compliance framework here and another one there doesn’t equal a mature Compliance strategy in today’s challenging and increasingly risky landscape.
This article originally appeared on Cybersecurity Insiders