IS SOMEONE SPYING ON YOUR BUSINESS? Takeaways for Businesses to Prevent Corporate Espionage and Cyber Attacks BY PAUL PERRY, FHFMA, CISM, CITP, CPA, CDPSE Is someone spying on your business? Or even worse—stealing from it from right under your nose? At the end of 2020, one cybersecurity attack was so pervasive and serious that it should have sent business leaders on an urgent errand to ask this question for their organizations. And yet, many still haven’t even heard anything about it. Here, we’ll step back and break down the SolarWinds attack (as much as we know) and determine what defense and preparation strategies your company may be able to implement in response.
THE ATTACK (OR WHAT WE KNOW SO FAR) The story is constantly developing, but here’s what we know at this moment. Who The attack targeted SolarWinds, a company that produces a network- and applicationsmonitoring platform called Orion. The users affected most were those using the cloudbased version of the software, but it also impacted major government organizations and companies. What Threat actors gained access to the company’s system and distributed malicious updates to
a network- monitoring product and to the software’s users. Why Much is still unknown, including the actual source and the motive behind the attack. Several countries and nation-states are being blamed, but this part of the story could be one of the most highly contested aspects of the attack for years to come.
WHAT THE ATTACK MEANS FOR COMPANIES This incident highlights the severe impact that software supply chain attacks can have and the unfortunate realization that most organizations are largely unprepared to prevent and detect such a threat. If, and when, they determine who was responsible, and if it is determined to be part of a larger attack or potential pretext to cyber war (of which we have never experienced), the effects could be wide sweeping. One possibility is that it could cause a larger invalidation of cybersecurity insurance policies or changes to future policies that could drive up the cost of premiums to remove such a clause. Regardless, it’s important that companies are aware of how to protect themselves. This attack proved that anyone is vulnerable, and no matter how much money you spend on protecting
yourself, there is always risk that needs to be understood. No one person or organization, outside of the threat actors and possible nations involved in the aforementioned attack, is to blame for this attack occurring. So, is there anything companies can do to protect themselves? Can you be prepared for an attack of this magnitude? How can we apply a lesson learned from another company’s cyberattack to better our own education, defense, and preparedness?
THE DEFENSE AND PREPARATION NEEDED Companies everywhere can look at this attack, learn and generate some takeaways for their own organizations. There are a few tactics that companies should employ to better their security posture and improve their technology environment. Below are a few classics to consider related to this type of attack.
Know Your Vendors Vendor management is a big part of having strong technology controls, yet, it doesn’t have much to do with your company’s technology itself. Its advantage is awareness and understanding. Knowing who your vendors are can help determine if you are impacted by a globally acknowledged cyber-attack or breach. While
Listen to The Wrap podcast episode: Deception Perception [Understanding and Preventing Corporate Espionage] at warrenaverett.com/deception-perception. 20
ASCPA Connections
