The breach of U.S. government agencies from the department of Defense to the Treasury Department will likely go down as one of the most impactful cyberattacks in history, impacting not just Federal agencies, but likely tens of thousands of American businesses—and their customers—as well.
The reason? Not only because of the potentially unprecedented size and scope of the attack, but because the hackers took full advantage of one of the most-discussed, but perhaps little checked, strategies available to those looking to break in to networked computer systems: third-party software.
Boards and CEOs at large multinational companies have spent over a decade introducing increasingly robust cyber defense systems—often after discovering the hard way the downsides of not doing so. The issue of cybersecurity routinely tops our polls of U.S. directors when it comes to what keeps them up at night, driven by high-profile breaches at companies from Marriott to Target to Equifax.
But as the companies themselves have gotten more sophisticated, that’s pushed hackers to find new weak spots. Often, that means attacking a company through its suppliers.
In this case, the attack by what officials say is agents of the Russia’s foreign intelligence service, went after a particularly valuable target: SolarWinds, an Austin, Texas based network management company that counts more than 300,000 customers including the bulk of the Fortune 500 and many government agencies.
Worse, according to The Wall Street Journal, the hackers were able to create a malicious software update that was then passed on through the company, which is deeply embedded in the “plumbing” of many networked computer systems. “Hacks of this type take exceptional tradecraft and time,” Chris Krebs, the former head of cybersecurity for the Department of Homeland Security said on Twitter, the Journal reported. “If this is a supply chain attack using trusted relationships, really hard to stop.”
What should CEOs and boards do? Immediately, security experts say, they need to know whether they are using SolarWinds products on their systems. If so, they should assume they have been breached and get their CISOs to take appropriate action to secure company data.
Longer term, they should push their security teams to focus on potential threats that could come via supply chains. The National Institute of Standards and Technology, the part of the U.S. Department of Commerce that acts as a standard-setter for cyber risk, offers guidelines. Among them:
For directors and corporate leaders looking to get smarter on the issue, NIST offers a great rundown of key questions to ask your IT folks as well as third parties, as well as a checklist of best practices.
The most essential thing is to remember that even in a situation like this, companies are not powerless. As we’ve counseled in the pages of Corporate Board Member and Chief Executive for years, that’s absolutely critical to remember—you must not let this lead to paralysis. Cyber risk—like lots of other risks—can be mitigated. Some essentials we’ve picked up along the years:
At our annual Cyber Risk Board Summit in February, Shawn Edwards, chief security officer for RSA and head of Dell’s Business Unit Security Organization, said that when it when it comes to board-level business continuity planning and cyber risk, he looks to see first and foremost: Is there a plan? And is it focused on the right things?
“It sounds silly, but you’d be surprised sometimes,” he said. “It’ll be picking out a specific area of the business and not looking at it holistically. And I think it’s important that the continuity plan covers all of your operations.” Now more than ever.
While rival automakers struggle against the currents of a complex market, Tetsuo Ogawa, CEO of…
What you say matters—and that’s not always a good thing.
Which technologies have captured the interest of CFOs immersed in the tech industry, and how…
With or without the psychological boost of an interest rate cut, PE investors need to…
In this edition of our Corporate Competitor Podcast, Chandran shares how leaders can tap into…
America’s CEOs are reforecasting their outlook for the year ahead, as consumer demand begins to…