7 minute read
Is Someone Spying on Your Business?
Takeaways for Businesses to Prevent Corporate Espionage and Cyber Attacks
BY PAUL PERRY, FHFMA, CISM, CITP, CPA, CDPSE
Is someone spying on your business? Or even worse—stealing from it from right under your nose?
At the end of 2020, one cybersecurity attack was so pervasive and serious that it should have sent business leaders on an urgent errand to ask this question for their organizations. And yet, many still haven’t even heard anything about it.
Here, we’ll step back and break down the SolarWinds attack (as much as we know) and determine what defense and preparation strategies your company may be able to implement in response.
THE ATTACK (OR WHAT WE KNOW SO FAR)
The story is constantly developing, but here’s what we know at this moment.
Who
The attack targeted SolarWinds, a company that produces a network- and applicationsmonitoring platform called Orion. The users affected most were those using the cloudbased version of the software, but it also impacted major government organizations and companies.
What
Threat actors gained access to the company’s system and distributed malicious updates to a network- monitoring product and to the software’s users.
Why
Much is still unknown, including the actual source and the motive behind the attack. Several countries and nation-states are being blamed, but this part of the story could be one of the most highly contested aspects of the attack for years to come.
WHAT THE ATTACK MEANS FOR COMPANIES
This incident highlights the severe impact that software supply chain attacks can have and the unfortunate realization that most organizations are largely unprepared to prevent and detect such a threat.
If, and when, they determine who was responsible, and if it is determined to be part of a larger attack or potential pretext to cyber war (of which we have never experienced), the effects could be wide sweeping. One possibility is that it could cause a larger invalidation of cybersecurity insurance policies or changes to future policies that could drive up the cost of premiums to remove such a clause.
Regardless, it’s important that companies are aware of how to protect themselves. This attack proved that anyone is vulnerable, and no matter how much money you spend on protecting yourself, there is always risk that needs to be understood. No one person or organization, outside of the threat actors and possible nations involved in the aforementioned attack, is to blame for this attack occurring.
So, is there anything companies can do to protect themselves? Can you be prepared for an attack of this magnitude? How can we apply a lesson learned from another company’s cyberattack to better our own education, defense, and preparedness?
THE DEFENSE AND PREPARATION NEEDED
Companies everywhere can look at this attack, learn and generate some takeaways for their own organizations. There are a few tactics that companies should employ to better their security posture and improve their technology environment. Below are a few classics to consider related to this type of attack.
Know Your Vendors
Vendor management is a big part of having strong technology controls, yet, it doesn’t have much to do with your company’s technology itself. Its advantage is awareness and understanding.
Knowing who your vendors are can help determine if you are impacted by a globally acknowledged cyber-attack or breach. While many organizations rely on one person to remember all their third-party vendors, it’s solid practice to keep an updated log of:
• Who they are;
• What processes or activities they perform for you; and
• Who your contact is.
Also, performing risk-based due diligence of their involvement with your daily controls and processes will help you better understand (and be aware of) any shortcomings they have that you need to protect yourself against.
Making sure they perform the same due diligence on their third parties (known as your fourth-party vendors) is also crucial. Many companies will soon learn that their fourth- and fifth-party vendors may be overseas companies or companies that are included on the Office of Foreign Assets Control (OFAC) SDN lists that you cannot do business with.
UNDERSTAND YOUR CYBER LIABILITY INSURANCE POLICIES
Make sure you fully understand what is covered by your cyber liability insurance policy—and what isn’t covered.
Organizations can get into a messy situation when they expect an insurance policy to protect them completely or to reimburse them if a threat actor successfully compromises their system or data. Cybersecurity insurance is there to help you if your controls and processes fail—not restore your system without you doing anything to help prevent the attack or breach.
Most cyber liability insurance policies have a section in the policy (or included in the underwriting process) that details the controls your organization should be performing if an attack occurs. For most insurance companies, those activities will include (but might not be limited to):
• A risk assessment process (internal and/or external);
• Security awareness training;
• Intrusion detection or prevention systems and processes;
• Incident response plans;
• Vendor management process; and
• Data backup procedures.
These controls ensure that your organization is pulling its weight related to the rights of the insurance policy.
If it turns out to be part of cyber warfare and your organization is/was impacted, check your cybersecurity insurance policies for the exclusion clauses related to damages due to an “act of war.”
In addition, make sure all exclusion clauses are reviewed and understood before enacting the policy. This includes what costs are not reimbursable and when the policy is not valid (i.e., act of war clause).
This aspect should concern organizations that were impacted in the SolarWinds attack the most. With attacks becoming larger in scale and actors getting more and more devious, the cyber liability insurance industry could become too large for anyone to handle or afford.
TESTING YOUR INCIDENT RESPONSE PLAN
Update and test your incident response plan so that you can effectively respond to an actual attack when it happens.
In 2018, the AICPA, in connection with the guidance on SOCs for cybersecurity, issued their tenets of cybersecurity, with one stating that preparing your company to respond to an attack with “as minimal disruption in your business as possible” is just as important as implementing controls to defend against these attacks and threat actors.
A solid incident response plan should consider all potential threats and risks to the organization. One plan could have multiple threats and courses of action should a cybersecurity event occur, and every organization should update their documents for “software supply chain attack.”
Testing the plan can be as simple as:
1. a table-top exercise where all parties involved (including external consultants or vendors) would sit around a table (maybe virtual these days) and talk through who does what, in what order, and how to handle communications, issues and what can go wrong; or as complex as
2. simulating the attack and responding accordingly in real time.
3. Both have their advantages and disadvantages, but something should be done to prepare your organization for all possible attacks and threat actors.
PROTECT YOUR ORGANIZATION AS MUCH AS POSSIBLE AGAINST CYBER ATTACKS
While human error or insider threat still remains the largest threat to prepare to protect and defend against, knowing your vendors, understanding your risks, knowing where you can get assistance and preparing for the worst can go a long way in preparing your organization to have as little disruption in your operations and finances as possible.
Paul Perry has been with Warren Averett since 2004 and is a Member and the practice leader of the Security, Risk and Controls Group. Paul and his team focus on cybersecurity, information technology related projects, risk assessments, internal controls, internal audit and control-related projects, including System and Organization Control engagements.
Paul is also the leader of the firm’s Data Analysis Group, a team of individuals within the firm who provide data analysis solutions to both internal and external clients. For more than 11 years, he specialized in auditing and assurance services. Paul has extensive experience serving clients in the nonprofit, governmental, financial, insurance and healthcare facilities/hospital industries during this time. Paul has earned the Certified Information Technology Professional (CITP) certification. This credential is awarded to CPAs who possess both information technology and business expertise.
Paul is a thought leader, published columnist and regular speaker on topics such as cybersecurity, data analysis, internal controls and information technology. During the year, Paul performs 20+ external presentations on a wide variety of technology and control related topics to groups including corporate clients, ASCPA, HFMA, IIA and ISACA. He also offers insight to business leaders in his role as a co-host of Warren Averett’s podcast, The Wrap.
