Contractor Security Failures Create Exposure For Canadian Systems

April 24, 2024

The Treasury Board of Canada Secretariat (TBS) acknowledged that a cyber-attack impacted the systems of MSH International, a sub-contractor to Canada Life that, under the Public Service Health Plan (PSHCP), provides emergency travel and coverage services to federal public service employees and their dependents who are traveling or posted abroad.

The Secretariat said that although it is not known with certainty what information held by MSH may have been accessed, both MSH and Canada Life are working diligently to investigate the scope of this incident.

According to the release, MSH turned off its services to protect its network and data. It has also "retained an external cyber incident response firm to help with safe and prompt service restoration." MSH was unable to process PSHCP claims, and members were unable to log into the MSH member portal. "Cyber incident hits sub-contractor of public servants' health plan" www.ottawacitizen.com (Feb. 12, 2024).

 

Commentary

 

There are many good reasons for organizations to contract with third parties to manage routine organizational tasks such as billing and receiving, payroll, or inventory.

As more organizations delegate these tasks to third-party contractors, there is a corresponding increased chance that the organization's network may be at risk if a subcontractor's system is compromised.

The priority in such cases is to ensure that any third-party contractor, supplier, partner, or entity with access to your organization's system has a strong cyber defense mechanism in place.

Cybersecurity Supply Chain Risk Management (C-SCRM) is a systematic process for managing exposure to cybersecurity risk throughout supply chains and for developing appropriate response strategies, policies, processes, and procedures. C-SCRM practitioners identify, assess, and mitigate cybersecurity risks throughout the supply chain at all levels of their organizations.

The Canadian government notes that supply chain compromises are an evolving threat against Canadian businesses, critical infrastructure, and governments. It warns that supply chains will almost certainly continue to be targeted by threat actors in the near term.

Organizations are urged to maintain a robust supply chain integrity program and ensure that their suppliers are adhering to supply chain integrity and security best practices. Many cyber threats can be mitigated through awareness and best practices in cybersecurity and business continuity, coupled with workforce training.

Finally, your opinion is important to us. Please complete the opinion survey: