What Businesses Can Learn From The SolarWinds Hack And SEC Charges
Table Of Contents:
It’s been three years since American software company SolarWinds fell victim to one of history’s most significant cyber attacks. The incident, which first came to light in December 2020, saw Russian hackers breach SolarWinds’s popular Orion network and application monitoring software over two years.
Once inside SolarWinds’s technical infrastructure, the cybercriminals created and sent malicious software updates to thousands of businesses and organisations using the Orion software to manage their IT environments.
A staggering 18,000 Orion users unknowingly installed the malware-ridden updates, enabling the hackers to access their IT networks, computer systems, and data, as well as target their customers and other stakeholders.
The hack impacted multiple US government agencies, including Homeland Security, State, Treasury and Commerce, and major corporations like Microsoft, Intel, Cisco, Deloitte and FireEye, as reported by TechTarget. The breach was so severe and far-reaching that Microsoft president Brad Smith described it as “the largest and most sophisticated attack the world has ever seen”.
Fast forward to 2023, SolarWinds is still facing the repercussions of this record-breaking cyber attack. In October, the US Securities and Exchange Commission (SEC) announced that it would take legal action against SolarWinds, accusing the tech firm of misleading investors about its cyber security practices and risks.
This hack, coupled with the recent SEC charges against SolarWinds, highlights the need for businesses to take rising cyber crime seriously by understanding and adopting robust information security practices. It also presents valuable business learning opportunities, many of which we’ll explore in this blog post.
Understanding The SEC Charges
One of the most significant things about these SEC charges is that they target not only SolarWinds but also chief information security officer Timothy G. Brown.
The SEC alleges that, between its initial public offering in October 2018 and its cyber attack announcement in December 2020, SolarWinds “defrauded investors” by exaggerating its cybersecurity practices as well as playing down and not disclosing cybersecurity vulnerabilities it knew about.
In a press release, the US government agency claims that SolarWinds only told investors about “generic and hypothetical risks” even though SolarWinds and Brown were aware of “specific deficiencies in SolarWinds’ cybersecurity practices” and “increasingly elevated risks”. The SEC alleges that SolarWinds made misleading public statements about its cybersecurity posture, contradicting internal evaluations.
For example, a SolarWinds engineer created and distributed an internal presentation warning that the company’s remote access wasn’t “very secure” and that hackers could “basically do whatever without us detecting it until it’s too late”. The presentation, which Brown had seen, also warned of “major reputation and financial loss” if a hacker leveraged this vulnerability.
In other claims against SolarWinds by the SEC, Brown allegedly wrote in a presentation that the “current state of security leaves us in a very vulnerable state for our critical assets”. He is also claimed to have called critical system and data access and privileges “inappropriate” in another presentation, among other instances where he allegedly raised cybersecurity concerns internally.
The SEC has accused Brown of failing to “resolve the issues” and “sufficiently raise them further within the company” in moves that meant SolarWinds wasn’t able to “provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected”. It’s now pressing for “permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown”.
Business Learnings
Many businesses can take away key learnings to improve their cybersecurity posture by assessing the infamous SolarWinds hack and the recent SEC charges.
Perhaps the most significant learning is that the SolarWinds breach shows that “even the most sophisticated and established entities aren’t immune to cyber threats”, according to ISMS.online CTO Sam Peters.
As cyber threats become more complex and common in the wake of the SolarWinds breach, businesses must ensure they have the means to identify, assess and manage them. This should involve “continuous vigilance, regular assessments, and the adoption of a proactive cybersecurity mindset”, says Peters.
The best way to manage new and emerging cyber security threats is by following industry best practices, regulatory requirements and recognised frameworks like ISO/IEC 27001 and the NIST Cybersecurity Framework as part of a “culture of security awareness”.
Peters explains: “They are business necessities in today’s digital-first landscape. As technology leaders, we must view cybersecurity not as a standalone function but as an integrated, foundational aspect of our overall business strategy.”
By following frameworks like ISO/IEC 27001, businesses must adhere to various technical controls to secure their networks, systems and data. Peters explains that they must define, monitor and review user access management, controls and responsibilities in addition to using strong encryption and key management protocols. Taking these steps is the key to “ensuring data confidentiality even during breaches”.
Peters also recommends that businesses conduct vulnerability assessments regularly, allowing them to identify and fix software flaws that could otherwise provide a backdoor into sensitive systems for hackers. Implementing a well-documented information security incident management process would also enable businesses to identify, report and manage breaches as they happen.
Along with highlighting the importance of following industry best practices and frameworks, the SolarWinds incident also shows that due diligence of suppliers is crucial to mitigating cyber attacks. Peters recommends that businesses “always vet third-party software with the same rigour as internal systems”.
Luke Dash, CEO of ISMS.online, believes that the most significant lesson businesses can learn from the SolarWinds breach is that cybersecurity is “a continuous journey, not a destination”. While investing in technology can help fight cybercrime, Dash says organisations must also invest in their people by constantly training them on cybersecurity threats and best practices.
He also recommends creating an incident response plan to prepare for future threats and fostering a workplace culture based on open communication. This will ensure “employees feel comfortable reporting suspicious activities without fear of retribution”. Dash adds: “In cybersecurity, every alert counts. It’s a collective effort and being proactive is the key.”
Karl Lankford, EMEA director of systems engineering at Illumio, says the SolarWinds hack and SEC charges show that the “CISO role deserves a place on the executive team”.
“The wider C-Suite must also be held accountable for good cyber security practices, as often it is this team that denies the recommendations from a CISO,” he adds. “I would love to see a shift where the CISO is assigned the appropriate authority and budgets to implement effective security controls without having to seek approval at every stage.”
Robin Campbell-Burt, CEO at Code Red, believes that the SolarWinds hack “sheds light on the multifaceted nature of public relations in cybersecurity crises” and stresses the importance of getting PR right during these situations.
He tells ISMS.online: “Their response to the breach underscores the imperative of timely communication in our rapidly evolving digital world. According to the recent SEC charges, however, this response may not have matched the reality of the company’s cybersecurity posture, and this kind of dishonesty can be extremely damaging to a brand’s reputation.”
The Bottom Line
The SolarWinds hack and SEC legal action demonstrate that poor breach disclosure and neglect of cybersecurity can be highly costly for businesses. With the online threat landscape evolving rapidly, organisations must constantly reevaluate and bolster their cybersecurity posture to protect themselves and their customers and partners.
As part of this, the importance of employing best practices like multi-factor authentication, regular backups, fostering a security culture involving all employees, following industry frameworks, and collaborating and sharing threat intelligence with industry peers cannot be understated.