The data breach involving FireEye and SolarWinds was shocking. As the leader of a cybersecurity platform company, a significant breach like this highlights how creative the hackers are becoming. If companies like FireEye and SolarWinds can be vulnerable then we all need to step up our game. This breach news should be another wakeup call that everyone is at risk - from Fortune 500 companies, to government agencies, to small and medium sized businesses across every industry. We must admit to ourselves a hard truth: we are suffering from security breach fatigue and our biggest security risk now is our own apathy.
I speak with companies every day about how they are maintaining an effective cybersecurity program and specifically how they are managing sensitive data. Companies frequently tell me they have data security “all under control”, only then to describe a random set of policies and procedures shaped more by customer questionnaires than by any cohesive risk-based strategy. Chief Information Security Officers (CISOs) often explain how they use a multitude of different systems, band-aided together and backed up by spreadsheets and email. At this point, my head is spinning with the gravity of the risk they’ve introduced to their organizations. I can typically tell within 2 minutes of talking with a company CEO whether they have an effective security program in place, and too often the answer is they don’t. Usually the more the company executive protests, the deeper the problems. But while even the most sophisticated organizations may have been vulnerable to the SolarWinds exploit, an effective security program should be as much about ‘response’ as it is about ‘prevention’. And so the most serious issue I see is how many organizations are simply not prepared to respond to any kind of cyberattack, let alone one this sophisticated. The world’s most prepared organizations build and maintain an always-on security program that is mapped to an industry-recognized framework, and have a clear breach-response plan already developed and tested.
The key to responding successfully to any breach is preparation and good cyber hygiene. The SolarWinds breach was unexpected but the way companies deal with such a breach can be planned for ahead of time. By knowing your data, who has access to your data, what assets are affected by a breach, and knowing your vendors can make the difference to a quick and efficient breach reaction and a slow, disastrous one. Let’s be honest, as a CISO have you asked the question: “Are we sure our company was not affected by the SolarWinds breach?” Can you quickly identify which assets might be vulnerable and what data is at risk? Were you able to quickly survey your vendors to find out if they were affected and if so what their response plans are?
Implementing an effective cybersecurity program can be expensive and it is understandable why smaller organizations are reluctant to take on additional expenses. In my experience the number one reason organizations will choose to invest in cybersecurity is because their customers demand it. Larger organizations, like those in the Fortune 500, have a responsibility to ensure their vendors are investing sufficiently and they must go beyond the simple vendor assessment survey. These simple assessments are too easy for organizations to game, and do little to enhance the security posture of the supply chain. Vendors must be forced to implement industry-accepted and independently validated security programs in order to avoid breaches. Or, as we already highlighted, respond to a breach when it cannot be avoided. It sounds simple but it is surprising how many companies, even those in leadership roles, are not following this practical advice.
“You’re inherently trusting the vendor to have done their own due diligence on the products they are selling you,” said Vincent Liu, chief executive of security consulting firm Bishop Fox. Very few companies, outside of some large financial services and high-technology firms, do a security assessment of the software they buy, he said. [from the WSJ]
At Ostendio we recognize this critical issue and that’s why we offer MyVCM Vendor Connect on the Ostendio MyVCM platform. It empowers users of our platform to handle third party risk management with templates for vendor assessments and requires documentation to support each question’s answer. For Ostendio MyVCM clients, the assessments are easy to send out to vendors and ensure the organization is tracking the security of its vendors.
I hear from customers frequently that a challenge they face is knowing how much and where to allocate their security budget. With a finite amount to spend on cybersecurity, I recommend customers allocate budget toward the biggest risk. This highlights the importance of understanding risk management. Organizations can learn where their biggest risks lie by running a risk assessment to understand which risks they are facing and then rate them according to potential threat to their business. Without running a risk assessment you’re playing Whack-a-mole with your cybersecurity budget and that is a dangerous strategy.
Microsoft has identified and notified more than 40 of its customers affected by this attack but has not disclosed their names. They state that 80% of the victims were from the U.S., and 44% were in the IT sector. SolarWinds has issued an advisory to customers regarding the attack including FAQs and suggested patches. IT teams should be reviewing their list of vendors to ensure their company has not been affected by the breach. Now would be an excellent time to ensure all patches on your system are up to date and that you have vendor security assessments in place.
It might be a lofty goal, but in order to see an end to data breaches and theft of information (or at least a significant reduction) we need to evolve to a point where every organization is held accountable to independent scrutiny. We need to end the news cycle of Fortune 500 companies brought down through backdoor break-ins caused by poorly-reviewed smaller vendors who have weak cybersecurity programs. These breaches will continue unless we lock the back door to these companies by requiring comprehensive, auditable security programs.
Ostendio offers a single platform to handle all elements of a company’s data security, providing an always-on view of a cybersecurity program with real-time data, across geographies. If you are concerned about the security of your vendors send us an email, here, and let’s talk about how to get ahead of the hackers and avoid security breach fatigue.