Close this search box.
Close this search box.

The Most Painful Lesson From The SolarWinds Hack

As companies get more sophisticated, hackers are finding new weak spots. Often, that means attacking a company through its suppliers.

The breach of U.S. government agencies from the department of Defense to the Treasury Department will likely go down as one of the most impactful cyberattacks in history, impacting not just Federal agencies, but likely tens of thousands of American businesses—and their customers—as well.

The reason? Not only because of the potentially unprecedented size and scope of the attack, but because the hackers took full advantage of one of the most-discussed, but perhaps little checked, strategies available to those looking to break in to networked computer systems: third-party software.

Boards and CEOs at large multinational companies have spent over a decade introducing increasingly robust cyber defense systems—often after discovering the hard way the downsides of not doing so. The issue of cybersecurity routinely tops our polls of U.S. directors when it comes to what keeps them up at night, driven by high-profile breaches at companies from Marriott to Target to Equifax.

But as the companies themselves have gotten more sophisticated, that’s pushed hackers to find new weak spots. Often, that means attacking a company through its suppliers.

In this case, the attack by what officials say is agents of the Russia’s foreign intelligence service, went after a particularly valuable target: SolarWinds, an Austin, Texas based network management company that counts more than 300,000 customers including the bulk of the Fortune 500 and many government agencies.

Worse, according to The Wall Street Journal, the hackers were able to create a malicious software update that was then passed on through the company, which is deeply embedded in the “plumbing” of many networked computer systems. “Hacks of this type take exceptional tradecraft and time,” Chris Krebs, the former head of cybersecurity for the Department of Homeland Security said on Twitter, the Journal reported. “If this is a supply chain attack using trusted relationships, really hard to stop.”

What should CEOs and boards do? Immediately, security experts say, they need to know whether they are using SolarWinds products on their systems. If so, they should assume they have been breached and get their CISOs to take appropriate action to secure company data.

Longer term, they should push their security teams to focus on potential threats that could come via supply chains. The National Institute of Standards and Technology, the part of the U.S. Department of Commerce that acts as a standard-setter for cyber risk, offers guidelines. Among them:

  • Develop your defenses based on the principle that your systems will be breached. “When one starts from the premise that a breach is inevitable, it changes the decision matrix on next steps. The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach.”
  • Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. “Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices.”
  • Security is Security. “There should be no gap between physical and cybersecurity. Sometimes the bad guys exploit lapses in physical security in order to launch a cyber attack. By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities to get access.”

For directors and corporate leaders looking to get smarter on the issue, NIST offers a great rundown of key questions to ask your IT folks as well as third parties, as well as a checklist of best practices.

The most essential thing is to remember that even in a situation like this, companies are not powerless. As we’ve counseled in the pages of Corporate Board Member and Chief Executive for years, that’s absolutely critical to remember—you must not let this lead to paralysis. Cyber risk—like lots of other risks—can be mitigated. Some essentials we’ve picked up along the years:

  • Know what the “crown jewels” of your data sets are, and make sure they are safeguarded appropriately—and separately.
  • Focus on being able to bounce back from an attack, not just harden yourself to one, which may ultimately prove impossible.
  • Hedge risk through insurance products.
  • Foster a culture of security, perhaps elevating the CICO to report directly to the CEO.

At our annual Cyber Risk Board Summit in February, Shawn Edwards, chief security officer for RSA and head of Dell’s Business Unit Security Organization, said that when it when it comes to board-level business continuity planning and cyber risk, he looks to see first and foremost: Is there a plan? And is it focused on the right things?

“It sounds silly, but you’d be surprised sometimes,” he said. “It’ll be picking out a specific area of the business and not looking at it holistically. And I think it’s important that the continuity plan covers all of your operations.” Now more than ever.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.