Ever heard of SolarWinds….well, before this past week anyway? If your answer is “no,” you’re not alone. In fact, SolarWinds was not a known name to many of us up until recently. But, rest assured, this company will now go down in history as a conduit for one of the largest cyber breaches in history.
Quoting Brian Krebs from KrebsOnSecurity, “(t)he still-unfolding breach at network management software firm SolarWinds may have resulted in malicious code being pushed to nearly 18,000 customers.” Unfortunately, the 18,000 (or more) customers are likely just now starting to realize the impact that SolarWinds is going to have on their organization.
What Happened at SolarWinds?
While details are still coming out, we seem to know that hackers, appearing to be Russian-sponsored, injected malware into the software update process at SolarWinds. This service, known Remote Monitoring and Management (RMM), manages the health and automation of your IT infrastructure. RMM allows for updates to push out to users (just like those software updates you get on your phone).
Think of the RMM as the security guard of IT. A security guard needs keys to access all the offices and the building, and he knows where high-value items are located. RMM has predefined access to accounts and devices, and this allows them to monitor and update on demand. In this case, this ability to execute script was the equivalent of the security guard being the ringleader of the thieves. The hackers caused malware to be downloaded onto customer machines under the auspices of being a regular software update. No one saw it coming because it was an “inside job.”
Unsuspecting users may have included 425 or more of the Fortune 500 and multiple governmental agencies including the CDC and NSA. Hackers were cautious not to overplay their hand and carefully used their access to infiltrate high-value targets and siphon out unknown amounts of information.
According to KrebsOnSecurity, the public acknowledgement of the SolarWinds breach came five days after cyber security firm Fire Eye announced theft of security tools from their own breach that appears to be related. Emails appear to have been compromised along with a wide range of additional information. The hackers were likely inside for months and had a lot of time to quietly rifle through data, looking for the most valuable nuggets.
The impact of this cyber breach will be far-reaching, and it will take time to have a good sense of precisely what was compromised.
This supply chain hack through SolarWinds had multiple points of failure including the RMM and very patient hackers who were careful not to alert to their presence.
What Can You Do to Protect Yourself from a Cyber Breach?
How are companies supposed to protect themselves in an environment such as this? With enough time and enough motivation by criminals, any company can be compromised. So, the following are some steps you can take to protect your organization.
Note: This is NOT an all-inclusive list and is not 100% fool-proof, but it does help.
Have Proper Insurance Coverage
I know this is what we do here at Holmes Murphy, and it seems like we are trying to sell you something. That is not the case. Having a Cyber financial safety net for your firm is just as important as having property and workers’ compensation coverage.
You need a Cyber policy — and a good one. Get quality coverage in adequate limits. The SolarWinds case tells us there are many things you cannot control about your IT environment. Have financial protection in place when all else fails.
Establish Key Data Protections
Secure your potential attack vectors with multifactor authentication and appropriate encryption. Be diligent about access management and remove user accounts that are not current or authorized.
Be Cautious to Whom You Give the Keys to Your Kingdom
Your IT vendors have access to everything. Inquire about their security protocols and culture of updating to the most current approaches. Vendor contracts may severely limit their liability.
Make sure there is proper financial backing of your vendor and that their insurance is sufficient (SolarWinds was not, and they even mentioned this in their 10k). Also, ask about their annual third-party IT audit.
Limit Your Data
Most documents, emails, and records don’t need to be kept forever. Create and enforce a proper document retention policy (including electronic documentation). You don’t need to protect what you don’t have.
Have a Disaster Recovery Plan
You need a crisis management or disaster recovery plan. It needs to be comprehensive, reviewed by those who will implement, and updated regularly. Testing of backups and management of assets should be part of your plan. Notification to your insurance broker and cyber insurance carrier should also be part of your response plan should something happen.
Conduct an Annual IT Audit
In an annual IT audit from a third party, you’ll be able to look closely at their recommendations. You want to be proactive in addressing little things and known issues before they become problematic. These annual audits can help uncover items your team may have become complacent about or lacks proper budget or resources to address.
Couple of Final Tips
Two items not noted above, but incredibly important are:
Your commitment to security must go beyond your IT group. Executive leadership needs to be committed and promote messaging and a culture, from the top down, to protecting customer data, company data, employee data, and more.
Communication with your IT vendors should be a dialogue and a conversation, not a presentation. Know, understand, ask, and engage. Regular strategy discussions are important if your vendors are to understand the exposures of your organization. Again, there needs to be political support internally (from leadership) for the policies, procedures, and security protocols that some would choose to ignore or circumvent.
If you need help in getting a plan started or even reviewed, reach out to us! We have experts well-versed in Cyber Risk and are happy to step in and provide support!
Remember, cyberattacks and security issues represent significant threats to the long-term health of the company. When it comes to cyber risk, an ounce of prevention, is worth more than a pound of cure!