BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Three Cybersecurity Lessons From The SolarWinds Hack

Forbes Technology Council

Head of Information Security at Directly, leading and managing a cross-functional annually audited InfoSec program, and IW CDR in the USNR.

Last week we learned about the hack of a network monitoring software, SolarWinds Orion, that has the potential to be the most pervasive hack in U.S. history, affecting leading security firms, as well as government agencies and Fortune 500 companies. By hacking a leading monitoring software amid an unprecedented pandemic, which rightfully required our attention, Russia, the alleged nation-state behind the hack, potentially gained undetected access to an enormous amount of confidential data from more than 18,000 leading organizations from March to December 2020. While we will still be assessing the full impact of the hack's effect in the days and months to come, this article will reflect on three important points from the hack.

All Computer Systems Are Vulnerable

First and foremost, the hack starkly reminds us that all computer systems are vulnerable to hacking. Anything that is connected to the internet can (and, in many cases, will) be hacked. The only way to be 100% hack-proof is not to use a computer system: Put it in a box, pour concrete over it and bury or throw it in a body of water. Information security assesses, manages and significantly reduces but does not eliminate risk to our computer systems and networks. It would be wise to assume that our systems and networks have already been hacked. Like scientists, we need to find evidence of that hypothesis and initiate the incident management plan to remediate and recover as quickly as possible. We need to build resilient systems that are expected to get hacked but quickly recover.

For computer crimes to be successful, three simple things have to be true about the criminal:

1. They must have the desire to obtain possession of the "victim."

2. They must have the skills, knowledge and ability to commit the crime.

3. They must have the opportunity to commit it.

With enough time and resources, criminals and nation-states who have a high desire to access confidential data, will improve the ability and find the opportunity to exploit vulnerabilities to get unauthorized access.

While America was expecting Russia to interfere with the 2020 presidential election, Russia allegedly exploited the Covid-19 pandemic to quietly snoop on America for nine months. One more thing to consider is making it futile for attackers to spend time and resources to hack our networks and systems. In this case, if 100% of the data we care about is fully encrypted at rest and in transit, it would not matter if hackers have stolen the data because they would not be able to make use of it.

Security Is More Than Just Technology

Security is not just about technology, but governance, policies, processes and people. I believe people are the most critical piece of this puzzle because they are the ones who have to deploy and configure the latest technology and follow all written policies and standard operating procedures. We are only as strong as our weakest link. Security should be everyone's business. Security should not only be delegated to the organization's security team, which is generally underfunded and without positional influence within the organization to affect significant change. We need to value and increase security awareness throughout the organization.

Security needs to become a part of our culture. Our people need to be familiar with our incident response plan. They should know the best response for any potential incident or at least know who to ask, where to turn to if they notice anything suspicious or are tempted to click on a potentially malicious link or download a malicious attachment. Information security should also be aligned to and converge with physical security as part of a comprehensive strategy. If a hacker can get physical access to a computer system, game over. In some cases, hackers have been able to breach physical access to a location by using cyber capabilities.

Organizations should also consider cybersecurity insurance to hedge their bets. As mentioned earlier, all systems are vulnerable. It is likely not a question of if we are going to get hacked but when. When we do, cyber insurance could be an essential element to recovery. One thing to consider is the fact that, according to IBM, the global average total cost of a data breach in 2020 is about $3.86 million. Most small and medium-sized Silicon Valley organizations I have worked with are insured up to $5 million.

Security Needs To Be Elevated

In today's information age, where security and privacy are quickly becoming the primary concerns for most organizations and individuals alike, security must play an influential role. Many organizations claim that trust, security and privacy are priorities, but the budget and resource allocation tell a different story. There needs to be a single person identified and empowered within the organization to manage security risks. Security must have a seat at the table. Security should be consulted in establishing the strategic objectives of the enterprise. Security should be baked into the software development life cycle and not be bolted on after the fact.

Security also needs to be independent. For a long time, security has usually been reporting to IT or engineering departments. Sometimes, that might cause a conflict of interest as the boss may not be interested in remediating security findings or informing senior leadership or the board of directors of such findings. It may be time to consider elevating the role of the CISO to report directly to the CEO or the board of directors.

The SolarWinds hack will have many lessons yet to be learned for cybersecurity professionals. Based on the limited amount of information we have so far, three lessons that came immediately to mind are the persistent vulnerability of computer systems, the need to focus on more than just technology and the importance of elevating the security role at the proper level influence within an organization. One thing we know for sure, SolarWinds is not going to be the last hack we will see. We might be lucky right now that the spotlight is not on our organization. We need to do better defending our computer systems and networks.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify? 


Follow me on LinkedInCheck out my website