Business leaders need to view cybersecurity with a proactive risk-based approach and stop viewing the strength of their cybersecurity on what standards and compliances they’ve gained via a check-box approach. And the latest case study of ignoring that approach came last December when SolarWinds was hit with one of the most significant breaches in recent memory.
By the time a Defense Industrial Base (DIB) organization is aware of a breach like that of SolarWinds, it’s certainly too late. Fallout can range from the initial damage of the attack and subsequent downtime to potential loss of business and reputation.
For example, SolarWinds stock dropped 40% the week after the attack, however, it has slightly bounced back.1 An effective cybersecurity approach comes down to doing things proactively and correctly when nobody is watching—before the alarm bells sound.
The SolarWinds Breach
The hackers behind the SolarWinds breach used a combination of brute force password cracking and Trojan updates in a complex operation. The attack infiltrated thousands of government and private networks, gaining access to a variety of data types including credentials, financial information, and source code.2
According to the ongoing investigation, the hackers behind the attack began deploying malware in 2019 in a possible early connection to the breach.3 While the exact correlation between the 2019 malware and the December breach is still unclear. It appears the cybercriminals had back door access for an extended period, allowing them to manipulate and monitor the environment until the perfect moment came to unleash the full scale of the cyber attack.
Federal agencies impacted in the United States include the departments of Treasury, Commerce, Defense, and Homeland Security. While the ramifications of an attack at this scale are detrimental to any industry, few have greater consequences than DIB organizations because a cyber invasion can expose sensitive information and have potential major implications involving national security and even our way of life.
Attacks similar to SolarWinds will be difficult to avoid if you're only deploying a conventional "best practices" checklist approach to cybersecurity. Cybercriminals are constantly adapting to the latest regulations and security protocols and taking extensive measures to avoid detection. It is imperative for DIB organizations to extensively vet their supply chain to ensure vendors and partners take every precaution to limit vulnerabilities as much as possible.
Mitigate Risks with a Comprehensive Cybersecurity Strategy
To properly mitigate and avoid threats, DIB organizations need an iron-clad, tested, and risk-based approach to cybersecurity. An effective cybersecurity strategy often boils down to an effective understanding of risk. Understanding what is important to your organization, what could threaten it, and how that could occur.
Look at it this way: you maintain home security not to meet regulations, but to protect your family. That’s what you value, and that needs to be the focus. If you look at your family and recognize you have a child who is lousy at locking the door behind him or herself, you understand a threat and how it could occur, with a burglar accessing an unlocked door. Only then can you devise an effective response that protects what you value, by adding an alarm system or moving to a safer neighborhood, for example.
Once DIB organizations can answer these questions they can create the protocols to execute an effective response and keep the organization safe.
Typically, some best practices involve:
- Patch and keep software up-to-date
- Enable enterprise-level security and encryption
- Use strong credentials and multi-factor authentication
Additionally, it’s imperative to document and ensure stakeholders understand the foundations of your risk management. Executives can’t do their jobs effectively without properly framing risk. Otherwise, you’re at the mercy of the cybersecurity workforce and tech industry’s interests instead of your priorities and needs of protecting what is important.
Don’t Stop at Minimum Compliance Standards
While meeting CMMC compliance or other regulations is imperative and valuable for organizations, it is merely the start. Compliance standards often follow years of getting owned by adversaries. By the time a compliance standard is active, it is potentially years out of date from a risk perspective.
DIB organizations can achieve true cyber maturity when they follow these requirements regularly and then go the extra mile by adapting programs, in near real time, based on what’s critical to you, what can hurt it, and how that can happen.
Achieving and maintaining Compliance, Maturity and Program Effectiveness requires dedicated resources to stay abreast of regulatory developments, threats seen in the wild, and ways to educate the entire organization on potential security problems.