Points of View

Any repeats of the Cognizant Maze attack will have significant ramifications for the whole outsourcing industry

COVID-19 has forced organizations to increase their surface area to support a larger dispersed workforce, giving hackers more opportunity to inflict damage. The recent Maze ransomware attack on Cognizant is an example of this grave issue impacting the entire services industry, as further attacks will undermine enterprise customers’ confidence with outsourcing IT or business processes. The public exposure of private customer data causes all sorts of calamitous issues, especially with banking, healthcare, and private social media, that could result in billion-dollar lawsuits.


Cognizant’s online newsroom released a statement on April 18, 2020, indicating that a security incident, involving its internal systems had caused service disruptions for some of its clients. The statement explained that Cognizant is cooperating with law enforcement authorities and doing everything it can to resolve the issue. Cognizant has not disclosed how this incident occurred, but it is clear that CISOs need to be acutely aware of the current climate’s increased security threats and invest accordingly.


HFS data in Exhibit 1 shows that during COVID-19, security investment is more necessary than ever to protect the increased surface area that remote working requires. It’s hardly surprising that cybercriminals have chosen to strike during the chaos of COVID-19, and this incident should hammer home the point that HFS has been warning about—any organization is vulnerable to attack. HFS conducted a survey during April 2020 to determine enterprise and service provider’s investment expectations as they revolve around COVID-19. Cloud and security topped the list for spending.


Exhibit 1: Significant growth in cybersecurity supports and secures accessibility—regardless of size, organizations need to invest in security


How do you expect COVID-19 to impact your,or your clients, spending on any of the following?




Source HFS: April 2020



Ransomware devastates organizations of any size—arrogantly underestimating it will prove detrimental to both enterprises and service providers


HFS has covered ransomware’s devastating effects and has highlighted the importance of defending your assets against it. Companies like Maze threaten their victims with releasing confidential data, which would be disastrous for a company’s brand and customer confidence. Maze is a well-known example of ransomware attacks; the FBI warned US companies about its impact in January 2020. It has not limited its attacks to the US; Maze has targeted organizations in other countries, including Italy and Germany. Maze penetrates networks through phishing and then laterally moves through systems. Once in place, it will take control of a system and threaten to expose an organization’s data unless the target pays a fee.


Ransomware can financially damage organizations by disrupting day-to-day business, exacting large ransom fees, or through legal proceedings as victims seek compensation or justice against who is at fault. Ransomware can also have detrimental reputational effects as customers or partners lose confidence in the compromised organization, which could cause additional financial damage as clients or partners decide to shop elsewhere.


HFS has discussed that COVID-19 is driving an increase in the number of employees working from home. The rush to get employees out of packed offices has resulted in companies issuing some personnel new devices or employees needing to use their own until companies supplied adequate equipment,  creating weak spots for cybercriminals to expose. A larger surface area is more problematic to monitor, and it is difficult to ensure remote workers employ adequate security features and follow correct procedures while working from home. COVID-19 amplifies this threat by adding stress to employees who are concerned about the economy’s financial uncertainty and their health, making them more likely to slip up for potential cybercriminal attacks.


As you move to a dispersed workforce model, don’t forget the security!


All enterprises, including service providers, must not forget the security elements in the new business models COVID-19 has forced.  Organizations can never be 100% secure, even an organization that understands and prioritizes security, such as Cognizant. However, enterprises that are not even doing the basics are even more exposed to potential attacks.  HFS has distilled recommendations to enterprises to five critical elements.


Know what what hardware and software your employees are using and make sure it’s adequately secured.


Don’t forget the basics. Make sure that you know which work-related hardware and software products your employees are using at home. A detailed inventory helps the IT department to understand support requirements and ensure that all products have an adequate level of security installed. For example, you might provide staff with a secure virtual desktop or VPN to access cloud and internal systems if they are using their equipment. Also, ensure that all anti-virus software is adequate and up-to-date. Many security breaches are the result of known vulnerabilities—things that enterprises know that they need to do but often neglect, such as implementing patches.


Revisit your security policy, revise it if necessary, and enforce it


You probably wrote your security policy a while back and filed it away safely. You need to dust it off and digest it, and it might be prudent to audit it and ensure that it is up to date. Now more than ever, you must understand your role-based access model (RBAC) and privileged access model (PAM) so that you know who has access to what. Staff should only have access to what they need to do their job (RBAC), so make sure no unnecessary privilege escalation has taken place. Understand your privileged system roles and control them within an electric safe system (PAM). Essentially, make sure you know who has access and editing rights for your data and applications.


Controlling access is equally necessary for both internal and external applications; for example, you wouldn’t want team members to access HR databases that contain information about who has been furloughed, and, of course, selective access to client data is critical. Ensure that IT can replicate the security levels that clients require in your data centers in your employees’ home environments. Reassure your clients that their data is secure; otherwise, they will revert to insourcing operations in this uncertain climate. In addition, make sure your information security management system (ISMS) is up to date and relevant and that employees are following your documentation classification to prevent incorrect labeling of sensitive and classified documents, possibly allowing them to surface in the public domain.


Up your internal security monitoring capability


A freshly dispersed workforce increases the complexity of internal security monitoring simultaneously with the potential of security breaches. Security breaches can come from external attacks, internal attacks, and inadvertently from internal mistakes. All can be costly to your business. You must be on top of threat intelligence, monitoring, and response services. For example, data loss protection software is critical to monitoring in real-time what is happening on your endpoints, such as employees’ laptops at home.


Teach your employees how to protect themselves


Train all home workers to recognize and prevent the types of attacks they might encounter, for example, being able to recognize a dangerous link. The number of phishing and other attacks that use the term “COVID-19” to encourage people to open the link has increased, for example. Also, do not allow employees to use work email addresses for personal messages, reducing the possibility of phishing attacks on work email.


Enterprises, ask your services provider for assistance


If you have a current managed security services engagement, then you should ask the provider to share changes in its internal security strategy as its business model invariably changes and how it is ensuring it will meet the service levels in your managed security services contract.


If you are not using an external partner to provide managed security services, then get some guidance from an expert—a managed security services provider or any existing service provider you work with probably has this capability. Many internal security teams are stretched at the best of times. Now, with dispersed workforces and possible further staff reductions in IT and security teams due to illness, having access to deep security expertise is key to maintaining your business.


Cognizant has taken steps to reassure client confidence, but only time will tell how effective these measures will be


Cognizant has taken steps to reassure clients that it is doing everything it can to solve its current predicament. Cognizant has been liaising with local authorities, is in ongoing communication with clients, and has provided clients with indicators of compromise (IOCs) and other technical information of a defensive nature. We believe that Cognizant’s choice to reduce the use of internal conversation tools such as Skype while it tries to identify the source of the problem is sensible.


HFS has outlined the main steps to take in the face of a security attack.


Post-attack checklist for enterprises


  • Lock down all affected systems.
  • Reduce internal communications using cloud technologies.
  • Be transparent with your customers as soon as possible. Communicate what happened and what data the attack affected, then instill confidence that you are doing all you can to solve the problem quickly and effectively.
  • Involve any legal bodies that you need to; for example, refer to industry bodies and regulators.
  • Refer to security specialists for assistance and guidance.
  • Learn lessons and implement policies, procedures, and technologies to limit the possibility of a recurrence.
  • Repeat as necessary. Unfortunately, you will never be 100% secure, so security services audits, implementation, and monitoring should be an ongoing, dynamic exercise.


This will cause some damage to Cognizant’s brand when it has already been on a bumpy road of late – but there have also been glimmers of hope that may carry it through this storm


Cognizant is on a bumpy road and responding to many adjustments; CEO Brian Humphries is invigorating the trundling organization in a return to the aggressive growth that it had previously enjoyed. Its recent Q4 and full-year results showed growth, but only 4.1% (5.2% in constant currency) from 2018. Q4 growth was a mere 3.8%, which, according to HFS estimates, positions Cognizant and Wipro as the two worst performers of the quarter among the India-heritage service providers. Depending on the severity of the results of this ransomware attack, it could plunge customer confidence and future revenues further.


Cognizant continues to invest heavily in growth markets to position itself as a global leader. For example, we ranked Cognizant as a top-three provider in the HFS Salesforce Services Top 10 report. Cognizant’s acquisitions in 2020, including Code Zero and EI-Technologies in February and Lev in March, exemplify its investment focus in this market.


The Bottom Line: Cognizant won’t be the last service provider to fall victim to ransomware. This is a critical issue for all enterprises and providers—investment in security is crucial.


Cognizant’s ransomware attack and subsequent fallout are certainly notable, but the most critical takeaway is that all organizations, both providers and enterprises, need to take the threat of ransomware seriously. Cognizant isn’t the first victim, and it won’t be the last. Several enterprises have fought cyberattacks in the past few months. For example, the Maze ransomware hit five law firms in February 2020, and in two cases, client data was published on the web. Sodinokibi ransomware was responsible for an attack against Travelex in December 2019. T-Mobile announced a malicious attack against its email vendor that led to unauthorized access to some T-Mobile employee email accounts, some of which contained customer information.


As companies increase their surface areas to meet the work and health challenges of COVID-19, it’s more important now than ever before for organizations to invest in security. Organizations failing to keep their foot on the security pedal will allow cybercriminals to catch them out, with potentially devastating effects.