A reminder for shared service centers and shoring operations to re-examine IT security posture.
European business leadership, especially CISOs, CTOs, and chief data officers (CDOs), are adjusting to the fact that the war in Ukraine is a war in Europe and has global implications. Sanctions, military aid, and even incoming refugees are all signals that operators of digitally intensive shared service centers (SSCs) and off-/near-shoring schemes should revisit their contingency plans and IT security posture.
While this advice is best followed up on periodically, war or no war, sustained conflict on the borders of the EU should heighten the resolve to audit your IT security strategy. For businesses and institutions operating in Central and Eastern Europe (CEE), the need to reassess security comes as a hard reminder that service center and shoring models may carry risks beyond high exposure to cyberthreats that include geopolitical threats as well.
To be sure, CEE is not the only game in town. With respect to hosting SSCs and shoring operations, Latin America (Argentina, Brazil, Mexico, Panama, etc.) and the Asia Pacific region (India, the Philippines, Thailand, etc.) also host large numbers of these operations and share a set of risks vectoring from their intense reliance on and/or support for digitally/IT-driven processes.
However, with all eyes on war in Europe and especially CEE, let’s use that region as our lens.
Location, location, location
Many CEE countries, including the Slovak Republic, Poland, and the Czech Republic, have been hosting the worksites for the SSC business model for more than 20 years, with Ukraine adding its skilled labor force to the shoring and SSCs “party” a little later. At present, the shoring and SSC business model employs at least 900,000 people across the CEE region. With Kyiv, Bratislava, Prague, Warsaw, Cluj, and many other locations supporting telecommunications, software, finance, HR, automation, and other business processes, considerable effort has gone into making these IT hubs resilient.
The attributes of geography, combined with the human resource and the tools they use, make the SSCs operations interesting cyber-targets. Now, regardless of the effort required to build and nurture these productivity-centric business assets over the 20+ years of calm that made the CEE region so attractive for SSCs, the war, and its cyber-centric aspects, pose a new challenge – delivering both security and trust.
In terms of security, we only need consult Verizon’s DBIR Report to see which industries face the highest rates of persistent and targeted attacks. And trust? Understanding if IT security at service-oriented offshoring and SSC operations, whether operated by HQ or as part of a supply chain provide a soft touch for malicious actors? After all, many industries detailed in the report, and their supply chain partners, leverage shoring and SSC opportunities – including in CEE. As such, operators should reevaluate IT risks and harden digital security practices across the board.
Many CIOs, CISOs, and their staff have begun taking a look at zero trust, an IT security model that is designed to limit risk exposure by eliminating unneeded access and privileges in critical IT systems. The dividends with respect to zero trust lay in prioritizing restriction of services available to users on the network, instead of retroactively locking down access. This means that no access is granted without specific and proactive authorization. While that is just a single approach, and it is aggressive, it does score high for proactivity.
COVID-19, war, and changed behaviors
If we can draw from data on cyber threats linked to the ongoing COVID-19 pandemic (2020 peak of COVID-19-linked threats), and the wider threat landscape across 2020, 2021, and the first half of 2022, then the IT and data-intensive workflows used for shoring and SSCs do dictate care.
By design, SSCs focus on specific tasks or subtasks that can increase speed and/or efficiency of delivery at a cost benefit to management. Here “shared” signifies collaboration; however, collaboration also offers rich scope for threat vectors. While we’ll take a look at some specifics below, we can confidently say that the zero trust model offers a lot of promise to shoring and SSC operations.
While SSCs in CEE and other locations demonstrate well the benefits that collaboration- and productivity-centric models bring to business, at scale, an intensification of risk follows. Even prior to the war, some of these risks had already presented themselves; in 2021, further refinement and uptake of collaboration platforms became a key enabler of the work-from-home revolution initially triggered by the pandemic. Among the many platforms, Microsoft Exchange Server experienced one of the largest-scale security impacts when a series of vulnerabilities was exploited by at least 10 advanced persistent threat (APT) actors as part of an attack chain. The vulnerabilities allowed attackers to take over any reachable Exchange server, even without knowing any valid account credentials.
Within a week of the vulnerabilities being declared, ESET detected webshell attacks on more than 5,000 email servers. With MS Exchange among the most popular collaboration platforms, the damage spread far and wide In the days and weeks that followed, attack attempts based on the exploitation of this vulnerability came in several waves. Notable and most feared among the attacks were ransomware campaigns by some of the most prolific APT and criminal groups.
Figure 1. ESET detections of Microsoft Exchange server attack attempts. For more details, head over to Microsoft Exchange exploits – step one in ransomware chain.
Collaboration can mean a lot of things: e-mails, shared documents, MS Teams, video calls, MS 365 … and likely the use of many cloud platforms. Again, the scale of tool use, both within an organization and along the supply chain (including partner organizations), opens that large threat surface. All the digital tools/platforms mentioned here are cornerstones of many a portfolio of shoring and SSCs.
Protecting and managing all the IT “real estate” implied by the platforms and tools mentioned is highly capacity intensive – so much so that many businesses and organizations have elected to outsource security to Managed Security and Service Providers (MSSP + MSP), a business model of similar vintage to SSCs. Unfortunately, the same digital glue holding these businesses and their clients together, has also come under attack.
Trust is digital glue
Virtual relationships, be they B2B, B2C, or B2B2C, work because of the trust relationships that underpin our willingness to decentralize and/or outsource processes. With respect to IT and IT security administration tasks and services, we’ve also seen those trust relationships impacted.
July 2021 saw Kaseya’s IT management software, popular with MSP/MSSPs, suffer a supply chain attack of unprecedented scale. Similarly, another MSP player, SolarWinds, saw its Orion platform – which requires highly privileged access to manage customer environments – under attack; clearly, these large-scale environments have become a preferred high-ROI threat vector. While market leaders Kaseya and Solar Winds both saw serious business and reputational impacts, their clients were also heavily impacted.
Accelerated digitalization, delivered by the pandemic, also threw light on the key role that the global transition to working from home had on security. This is perhaps best expressed by the massive number of attacks on the handy but vulnerable interface often used by staff at home to connect with company servers – Remote Desktop Protocol (RDP). Use of RDP has opened up numerous “backdoors” at companies and has come under constant attack over the last two years. In December 2020, ESET registered an average of 14.3 million attacks per day in Germany, Austria, and Switzerland alone; this corresponds to 166 attacks per second. For context, these three countries have significant near-shoring operations and production investments across CEE and a lot at stake. While RDP attacks finally saw appreciable declines in 2022, poor admin security practices and other factors will likely keep RPD among the serious threats faced by SSCs and shoring operations.
Figure 2. Trends of RDP connection attempts in Q1 2020-Q2 2020, seven-day moving average (source: ESET Threat Report Q2 2020).
Digital defenses, large and small
The toolset to best keep businesses, including SSCs, safe clearly starts with mature IT management practices. While many SSC and shoring operations benefited from their HQ’s software update and patch management policies, as well as deployment of endpoint detection products, prior to the war in Ukraine, mature security practices ideally delivered/managed by a well-staffed security operations center (SOC) team are now critical. These business operations may have sat on the periphery of wider security operations at both enterprises and larger SMBs, but the need to take a deeper look at endpoint security, service(s), and visibility into networks via extended detection and response tools and security practices by both IT admins and staff has become more acute.
Concerns about targeted attacks, malicious inside actors, and “trust” relationships mean service centers, particularly those in CEE, should assess their security posture and the maturity of their security practices and audit both internal and external risks.
Pursuing audits at this scale, businesses will need to engage heavily with existing vendors’ services teams, or in many cases since the invasion of Ukraine, rapidly move to safe harbor with new vendors. While auditing processes require significant resources, they also fundamentally ensure that the cost savings, process efficiency, and business continuity of the shoring model can continue.
For smaller operations, which don’t sport an SOC team or have the budget for either endpoint detection and response tools or managed detection and response, there are still significant options. Cloud security solutions can help protect vital collaboration tools, including Microsoft 365, OneDrive, and Exchange Online, and include powerful, easy-to-integrate cloud sandbox tools that are effective against never-before-seen threats.
As such, many of the worst threats to business, be they via RDP, ransomware and other malware via macro-enabled files, or e-mails with malicious attachments, can wreak havoc at scale. For the offices in question, their clients or HQs have chosen to invest in and build globally distributed capacity, so the challenges and threats are largely similar.
With open conflict as a stern reminder, protecting investments and improved capacities provided by SSCs, shoring operations, and other efficiency-oriented business models is critical. It also recalls the significant ink spilled at the EU level to buoy a more self-reliant security environment in Europe.
The conflict in Ukraine, like the pandemic before it, is sending clear signals about the critical role digital has to play in global business and keeping a stable and conducive economic environment. In something akin to collective security, if SSCs become a weak link in European or global business services and supply chains, then global business will be poorer for it.
by James Shepperd, ESET