Is someone spying on your business? Or even worse—stealing from it from right under your nose?
At the end of 2020, one cybersecurity attack was so pervasive and serious that it should have sent business leaders on an urgent errand to ask this question for their organizations. And yet, many still haven’t even heard anything about it.
Here, we’ll step back and break down the SolarWinds attack (as much as we know) and determine what defense and preparation strategies your company may be able to implement in response.
The Attack (or what we know so far)
The story is constantly developing, but here’s what we know at this moment.
The attack targeted SolarWinds, a company that produces a network- and applications-monitoring platform called Orion. The users affected most were those using the cloud-based version of the software, but it also impacted major government organizations and companies.
Threat actors gained access to the company’s system and distributed malicious updates to a network- monitoring product and to the software’s users.
Much is still unknown, including the actual source and the motive behind the attack. Several countries and nation-states are being blamed, but this part of the story could be one of the most highly contested aspects of the attack for years to come.
What the Attack Means for Companies
This incident highlights the severe impact that software supply chain attacks can have and the unfortunate realization that most organizations are largely unprepared to prevent and detect such a threat.
If, and when, they determine who was responsible, and if it is determined to be part of a larger attack or potential pretext to cyber war (of which we have never experienced), the effects could be wide-sweeping. One possibility is that it could cause a larger invalidation of cybersecurity insurance policies or changes to future policies that could drive up the cost of premiums to remove such a clause.
Regardless, it’s important that companies are aware of how to protect themselves. This attack proved that anyone is vulnerable, and no matter how much money you spend on protecting yourself, there is always risk that needs to be understood. No one person or organization, outside of the threat actors and possible nations involved in the aforementioned attack, is to blame for this attack occurring.
So, is there anything companies can do to protect themselves? Can you be prepared for an attack of this magnitude? How can we apply a lesson learned from another company’s cyber attack to better our own education, defense and preparedness?
The Defense and Preparation Needed
Companies everywhere can look at this attack, learn and generate some takeaways for their own organizations. There are a few tactics that companies should employ to better their security posture and improve their technology environment. Below are a few classics to consider related to this type of attack.
Know Your Vendors
Vendor management is a big part of having strong technology controls, yet, it doesn’t have much to do with your company’s technology itself. Its advantage is awareness and understanding.
Knowing who your vendors are can help determine if you are impacted by a globally acknowledged cyber attack or breach. While many organizations rely on one person to remember all of their third-party vendors, it’s solid practice to keep an updated log of:
- Who they are;
- What processes or activities they perform for you; and
- Who your contact is.
Also, performing risk-based due diligence of their involvement with your daily controls and processes will help you better understand (and be aware of) any shortcomings they have that you need to protect yourself against.
Making sure they perform the same due diligence on their third-parties (known as your fourth-party vendors) is also crucial. Many companies will soon learn that their fourth- and fifth-party vendors may be overseas companies or companies that are included on the Office of Foreign Assets Control (OFAC) SDN lists that you cannot do business with.
Understand Your Cyber Liability Insurance Policies
Make sure you fully understand what is covered by your cyber liability insurance policy—and what isn’t covered.
Organizations can get into a messy situation when they expect an insurance policy to protect them completely or to reimburse them if a threat actor successfully compromises their system or data. Cybersecurity insurance is there to help you if your controls and processes fail—not restore your system without you doing anything to help prevent the attack or breach.
Most cyber liability insurance policies have a section in the policy (or included in the underwriting process) that details the controls your organization should be performing if an attack occurs. For most insurance companies, those activities will include (but might not be limited to):
- A risk assessment process (internal and/or external);
- Security awareness training;
- Intrusion detection or prevention systems and processes;
- Incident response plans;
- Vendor management process; and
- Data backup procedures.
These controls ensure that your organization is pulling its weight related to the rights of the insurance policy.
If it turns out to be part of cyber warfare and your organization is/was impacted, check your cybersecurity insurance policies for the exclusion clauses related to damages due to an “act of war.”
In addition, make sure all exclusion clauses are reviewed and understood before enacting the policy. This includes what costs are not reimbursable and when the policy is not valid (i.e., act of war clause).
This aspect should concern organizations that were impacted in the SolarWinds attack the most. With attacks becoming larger in scale and actors getting more and more devious, the cyber liability insurance industry could become too large for anyone to handle or afford.
Testing Your Incident Response Plan
Update and test your incident response plan so that you can effectively respond to an actual attack when it happens.
In 2018, the AICPA, in connection with the guidance on SOCs for cybersecurity, issued their tenets of cybersecurity, with one stating that preparing your company to respond to an attack with “as minimal disruption in your business as possible” is just as important as implementing controls to defend against these attacks and threat actors.
A solid incident response plan should consider all potential threats and risks to the organization. One plan could have multiple threats and courses of action should a cybersecurity event occur, and every organization should update their documents for “software supply chain attack.”
Testing the plan can be as simple as:
- a table-top exercise where all parties involved (including external consultants or vendors) would sit around a table (maybe virtual these days) and talk through who does what, in what order, and how to handle communications, issues and what can go wrong; or as complex as
- simulating the attack and responding accordingly in real time.
Both have their advantages and disadvantages, but something should be done to prepare your organization for all possible attacks and threat actors.
Protect Your Organization as Much as Possible Against Cyber Attacks
While human error or insider threat still remains that largest threat to prepare to protect and defend against, knowing your vendors, understanding your risks, knowing where you can get assistance and preparing for the worst can go a long way in preparing your organization to have as little disruption in your operations and finances as possible.