Properly managing risk in IT is an important aspect of running a business. As recently seen in the massive SolarWinds cyberattack, your exposure to third party risk within your supply chain can be significant. What steps can a business take to identify and minimize these risks?
"What you have to do and the way you have to do it is incredibly simple. Whether you are willing to do it is another matter."
~ Peter Drucker
The Full Scoop
Between March and June of 2020, versions 2019.4 through 2020.2.1, of SolarWinds popular Orion platform became compromised. Within their supply chain bad actors were able to inject their own code into trusted builds of the SolarWinds software, that would allow hackers to penetrate and compromise the internal systems of tens of thousands of clients.
Have you ever been a part of an unexpected fire drill? These are the blind spots that catch us off guard in business, and how we react can play a crucial part in not only the remediation of the issues at hand; but how well into the future you are able to effectively operate and compete.
The SolarWinds attack is an excellent example of cyber-espionage. SolarWinds provides complex and sophisticated management platforms to large corporate clients. Their systems allow you manage and monitor network infrastructure on a large scale, specifically to prevent these very types of activities and attacks. We have an example of a well known and trusted vendor being susceptible to weaknesses in their own supply chain, and the very type of attack they work hard to prevent, impacted thousands of their clients.
You don't invest in a fire alarm system expecting it to then cause a fire. These platforms are not only expensive, but very time consuming to stand up and maintain. What steps can we take to understand the risks that exist within our systems, to then create control processes to help either accept or minimize the risks.
- Think in Terms of Risk Management
- When was the last time you took inventory of the various technology assets within your organization, worked to evaluate the risk they may pose and then prioritized those risks? Probably not recently, especially if you are a small organization. Keep in mind that not all risk needs to be mitigated, but it is important to understand the risk it may post and the impact a given audit exception may pose. Your goal should be to reduce "blind spots", as nothing can be more disruptive than being caught off guard.
- Implement Layered Security
- This is sometimes referred to as security in depth. You don't want to put all your eggs in the proverbial basket. An example would be working with your IT Vendor to implement multiple platforms, from different vendors, to monitor for malware. There is not one thing you can do to prevent a cyberattack, it is security or defense in depth that will benefit you the most. Firewalls, spam filters, malware protection, upgrades and updates, access management processes, backups, active monitoring and perhaps the most crucial of them all - re-occurring end user security training! Many a complex cybersecurity control has been circumvented by a well meaning but unsuspecting employee.
- Cyber Insurance
- You identify the risks you have, you implement multiple layers of security to prevent risks from being exploited and then; you insure yourself against loss. Speak with your commercial insurance carrier about carrying cyber insurance. This is a special type of insurance that can help you in the event that an internet based or information technology emergency negatively impacts your business. Even the best of plans can sometimes fail, be smart and implement an additional layer of protection that goes beyond what your team and associated vendors may be able to provide; and helps in case those blind spots catch you off-guard.
SolarWinds is a well respected and sophisticated vendor who will get through this event, and emerge even stronger. These experiences can help us all understand the risks that even our cyber security vendors may pose to our organizations, and if we learn from them properly, we can implement controls to help minimize their impact.
Work with your IT Partner to perform a risk assessment. Once you understand your risks, you can implement layers of protection to the extent your executive team deems necessary, to protect you from a variety of threats. In the event that a control does not prevent a malicious actor from compromising your system, ensure you have insurance to protect you from those unforeseen circumstances; not because you were not prepared, but because in the complex environment we operate within, threats are constantly evolving. Understanding the risks your business may face will help prepare you to respond quickly and successfully.