Properly managing risk in IT is an important aspect of running a business. In the recent massive SolarWinds cyberattack, your exposure to third party risk within your supply chain can be significant. What steps can a business take to identify and minimize these risks?
“What you have to do and the way you have to do it is incredibly simple. Whether you are willing to do it is another matter.”
~ Peter Drucker
The Full Scoop
Between March and June of 2020, versions 2019.4 through 2020.2.1, of SolarWinds popular Orion platform became compromised. Within their supply chain bad actors were able to inject their own code into trusted builds of the SolarWinds software. That allowed hackers to penetrate and compromise the internal systems of tens of thousands of clients.
Have you ever been a part of an unexpected fire drill? These are the blind spots that catch us off guard in business. How we react can play a crucial part in not only the remediation of the issues at hand; but how well into the future you are able to effectively operate and compete.
Example of Supply Chain Risk
The SolarWinds attack is an excellent example of cyber-espionage. SolarWinds provides complex and sophisticated management platforms to large corporate clients. Their systems allow you manage and monitor network infrastructure on a large scale, specifically to prevent these types of attacks. We have an example of a well-known and trusted vendor being susceptible to weaknesses in their own supply chain. The very type of attack they work hard to prevent, impacted thousands of their clients!
You don’t invest in a fire alarm system expecting it to then cause a fire. These platforms are not only expensive, but very time consuming to stand up and maintain.
Steps to Minimize Risk
What steps can we take to understand the risks that exist within our systems, to then create control processes to help either accept or minimize supply chain risks?
- Think in Terms of Risk Management
When was the last time you took inventory of the various technology assets within your organization? Did you work to evaluate the supply chain risk they may pose and then prioritize those risks? Probably not recently, especially if you are a small organization. However not all risk needs to be mitigated, but it is important to understand the risk it may post and the potential impact of a given audit exception. Reduce your “blind spots”, as nothing can be more disruptive than being caught off guard.
- Implement Layered Security
This is known as security in depth. You don’t want to put all your eggs in one basket. An example would be working with your IT Vendor to implement multiple platforms, from different vendors, to monitor for malware. You cannot prevent a cyberattack. It is security or defense in depth that will benefit you the most when it comes to supply chain risks. Firewalls, spam filters, malware protection, upgrades and updates, as well as access management processes and backups are all beneficial. Active monitoring also helps, and perhaps the most crucial of them all – re-occurring end user security training! Well meaning but unsuspecting employees can enable bad actors to circumvent complex cybersecurity control.
- Cyber Insurance
You identify the supply chain risks you have, you implement multiple layers of security to prevent risks from being exploited. Then you insure yourself against loss. Speak with your commercial insurance carrier about carrying cyber insurance. This is a special type of insurance that can help you in the event of an internet-based or information technology emergency arises. Even the best of plans can sometimes fail. Be smart and implement an additional layer of protection that goes beyond what your team and associated vendors may be able to provide. It helps in case those blind spots catch you off-guard.
No One Is Immune
SolarWinds is a well-respected and sophisticated vendor who will get through this event, and emerge even stronger. These experiences can help us all understand the supply chain risks that even our cyber security vendors may pose to our organizations. If we learn from them properly we can implement controls to help minimize their impact.
Work with your IT Partner to perform a risk assessment. Once you understand your risks, you can implement layers of protection to the extent your executive team deems necessary. In the event that a control does not prevent a malicious actor from compromising your system, add insurance to protect you from those unforeseen circumstances. In the complex environment we operate within, threats are constantly evolving. Understanding the risks your business may face will help prepare you to respond quickly and successfully.