CTS cyber-attack highlights the danger of relying on a single supplier for critical IT services
December 2023 by James Watts, Managing Director of Databarracks
Two weeks ago, managed service provider CTS announced it had suffered a cyber-attack disrupting its services. The attack is thought to have impacted approximately 200 of its legal customers in the UK affecting phone, email, and case management systems.
On the 30th of November CTS announced that it had reached the fourth stage of its four-phase plan to restore client services.
James Watts, Managing Director of Databarracks, commented: “CTS is one of the best-known suppliers of IT services in the legal sector with an excellent reputation. MSPs are attractive targets for attacks because a single breach can disrupt hundreds of its customers. This demonstrates that even solid organisations with a commitment to cyber security are not immune to attacks. This isn’t the first time this year we’ve seen a whole sector impacted by a critical supplier. The outage at Ion Group at the start of the year affected many companies across the Financial Services sector; in July-August, the UK charity sector was affected by an attack on a key supplier, Kokoro.
According to Mr Watts, these attacks highlight the dangers of relying on a single supplier for critical IT services. “There is a great appeal in the simplicity of having a single supplier for all IT services. The downside of this approach is evident. When you keep all your eggs in one basket and that supplier suffers a cyber-attack or prolonged outage, your business is severely impacted. Our recommendation from a continuity perspective is to adopt a multi-vendor approach wherever possible.
“In the world of Supplier Risk Management, this is fundamental. You diversify your supply chain to stop the failure of any single supplier preventing you from delivering for your customers. Somehow, in the world of IT services, this can be forgotten. The organisations that have separate Backup and Disaster Recovery systems in place can continue to operate while those without cannot.
“In IT resilience, immutable backups and air-gaps are the current hot topics. That means backups that cannot be altered by a cyber-attack like ransomware and physical and logical separation that prevents an attack from spreading from production IT systems to your backups. One of the best methods of adding separation into your IT supply chain is to have one supplier delivering production IT and another looking after IT resilience. This adds an air-gap to your people and process as well as to your technology.
“Cyber-attacks are incredibly difficult and complex things to manage. There is an enormous amount of work required to identify and contain the malware, before eradicating it. Having a separate supplier for IT resilience means that you have a team dedicated to getting the business operational as quickly as possible while another team is focussed on the longer-term return to the production environment.”
The CTS attack is also an example of concentration risk in a single industry.
“Concentration risk occurs when many organisations in an industry use the same supplier. This was the case with 80 conveyancers affected by the outage. Conveyancers are highly dependent on each other so there is a network effect multiplying the impact of the outage. The result here is that many people faced delays in their home buying process at exchange and completion.
“This is best addressed by regulators who can take a view of the risk across an entire market.
“After any continuity incident, we should always review for lessons to improve future resilience. Our hope following this incident is that law firms will review their IT supply chain to ensure that in any similar incident, they will be better placed to manage the impacts and deal with the consequences.”