The part about whether Kaseya took “reasonable steps” is called due diligence and it’s calling your name. There has been a lot of talk about how, what, who, and oops, when it comes to Kaseya. It seems that “Supply Chain” is Kaseya’s middle name. But you don’t need another rehash of what’s been said, what you need to know is how to limit personal and corporate liability. Simply stated “do due diligence”; especially you, Mr. IT manager.

Like Maersk, Kaseya fell victim to a ransomware attack, and due diligence was called into question. The answer from above was “what the hell is due diligence.” In all fairness, Equifax asked the same question. I really can’t say anything bad about Kesaya as long as marketing defines them as a prospect 😊

You are the Supply Chain!

If we’re going to talk about supply chain then let’s talk about internal supply chain before looking to external vendors. As I occasionally do, I’ll relate a story from my Microsoft days between 1997 and 2005. It’s all about my own due diligence and CYA.

I was responsible for ensuring that Microsoft didn’t release more infected products. After listing the required resources, I stated “Do what I say, and we’ll still be lucky if there isn’t an incident for five years. Antivirus can’t detect everything.” Antivirus was the only tool I had, other than my manager at that time (Did I say that out loud?). That’s CYA through setting expectations. It doesn’t replace due diligence though. I always maintained that my job wasn’t to prevent infected software from releasing, but rather to demonstrate I had gone above and beyond due diligence when it did happen. I assumed the breach well before it was a mantra taught in the annals of the Verizon Data Breach Investigations Reports.

Come about five and a half years later and one got by me. When management came a-knockin’ and asked me how this could happen, I pointed to an email I sent stating that the support I needed to prevent exactly what happened. However, my boss, like the managers at Equifax, Maersk, and Kaseya, failed to heed the warnings. Oh, come on all of you IT practitioners, stop shaking your heads in affirmation, you’re beginning to look like bobblehead dolls. Notifying management was not in and of itself due diligence, it was the steps I took to find the attack surface that needed to be closed. Unlike the others, Microsoft dodged a bullet; the malware was inert as it would have taken great effort to extract and execute it.

If you’re the scapegoat at the bottom of the due diligence stack, you better have asked for the resources you need, documented requests, reasons for the need, and executed your job above and beyond the minimum that may pass for due diligence. Only meeting bare minimum standards is why lawyers can afford to send their kids to prestigious universities. It’s hard to exceed due diligence though if your cybersecurity defense requirements are under-funded. That’s where IT staff get burned time and time again. The management supply chain was grossly negligent.

And so, we return to Kaseya. If management had only read the urgent email to them from George Santayana, they would have known that “Those who cannot remember the past are condemned to repeat it.” I know they got the email from dear George; Wikileaks leaked it.

There are numerous reports from current and former employees of Kaseya management failing to address severe security flaws, and actually being hostile to those who brought them up. In an interesting article by Julie Machal-Fulks from Scott and Scott LLP, she describes the hurdles in trying to sue Kaseya. It will be interesting to see how well the contractual provisions fare in court against irrefutable proof of seemingly deliberate gross negligence.

Should Kaseya’s binding arbitration agreement get shot down, it will be a wake-up call to other large companies. That was a joke. The alarms have been going off for years and few wake up until jarred from their sleep by reality. Equifax, Maersk, Kaseya, and countless other companies prove the point.

Due diligence is becoming more dangerous for a CEO to ignore. As reported by complianceandethics.org, legislation has been proposed that if enacted could result in jail time for CEOs who fail to do due diligence.

Cybercriminals are intelligent (with some exceptions), highly motivated, and often very well-funded. Breaches will happen. If Kaseya, and others, can demonstrate that they performed due diligence they will better be able to limit the damage to that which was caused by cybercrime rather than pouring the salt of increased legal liability into an open wound.

As a public service to my IT brethren, here is how to ask for cybersecurity resources.