Cloud Backups Go South for Western Digital, Proskauer
4–10–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday April 10th, and I hope everyone had a chance to spend some time resting and reflecting this weekend - whether it was for Easter, Spring Break, or the Master’s.
This week, we’ve got to talk about backups and the cloud, and make sure that we’re taking a risk-informed approach.
Let’s dig in.
WesternDigital Incident Shows Cloud Risk, Backup Value
While this story isn’t strictly from the last week, it is an ongoing incident that really highlights the challenges that companies have in managing both their own data and their third party relationships.
Western Digital, a company that’s been building solid state storage devices since the 70’s disclosed a “network security incident” last week, noting that “an unauthorized third party gained access to a number of the Company’s systems.”
They go on to say “Based on the investigation to date, the Company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.
While Western Digital is focused on remediating this security incident, it has caused and may continue to cause disruption to parts of the Company’s business operations.”
Their statement noted events starting on March 26th, and their online backup system, MyCloud, is still down here on the morning of April 10th.
Remember, this is a company who built their business on manufacturing hard drives - not securely configuring, deploying, and operating cloud services. And, as a result, we’re seeing the risk - the company tried to evolve into a cloud offering, like so many, and left themselves vulnerable to an attack that resulted in both data loss for customers and service unavailability.
Unfortunately, they weren’t the only ones with a bit of an awkward time in the cloud last week. Law firm Proskauer Rose left 184,000 client files exposed on an Azure instance - exposed for at least six months.
“Proskauer said it recently learned that “an outside vendor that we retained to create an information portal on a third-party cloud-based storage platform had not properly secured it,” according to a statement provided by spokesperson Joanne Southern.”
As is typical with law firms, their response here is tight-lipped and limited on details, and while they were able to pretty quickly resolve the issue once they learned of it, it’s highly likely that all of those files are already gone - and it’s unclear whether Proskauer has records of how many times, when, and by whom it was accessed.
Each of these stories serve to highlight the double-edged sword that are cloud technologies. When properly configured, they can be incredibly useful, powerful tools - particularly for growth-stage businesses who might not have their own infrastructure.
On the other hand, improperly configured cloud instances are a common source of vulnerabilities, and monitoring, logging, and alerting capabilities are likely not as strong as they need to be if the shop itself is misconfiguring the cloud instances in the first place.
When it comes to backups, in particular, we should also be mindful of pairing backup strategies with data retention strategies. Intentionally culling the data that you keep - particularly the sensitive data - is an effective way to keep spend and management costs down, but also to reduce the blast radius if and when incidents like this happen.
A common strategy for backups is the 3-2-1 Backup Strategy: you should have 3 copies of your data (your production data and 2 backup copies) on two different media (e.g. local and cloud) with one copy off-site for disaster recovery.
While this is a little more work, you’re building resilience and the ability to continue to operate when your cloud backups are down - and by implementing a solid data retention plan, you’re also ensuring that you only keep what’s still serving the business, and limiting the risk from both cloud breaches, and malicious insiders, amongst others.
Fundraising
Big week to kick off Q2 - but it also comes on the heels of new that this has been the slowest first quarter of global M&A since 2013 according to Refinitiv.
Last week saw nearly $14B in newly committed capital, a significant chunk of that coming from KKR’s sixth European private equity fund - a market that’s continued to be relatively busy, even with these macro downturns.
Will Q2 bring a rebound in activity? It’s hard to say - but the nearly $180B of capital we saw committed in Q1 has to go somewhere, and we’re also seeing rumblings of advisors being hired for 2023 IPOs, which would also help unlock some of this stagnant approach.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://techcrunch.com/2023/04/03/western-digital-breach/?guccounter=1
https://status.mycloud.com/os4
https://techcrunch.com/2023/04/06/proskauer-confidential-client-data/
https://www.axios.com/pro/media-deals/2023/04/03/media-deal-value-q1-2023-refinitiv