No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

SolarWinds: Why Companies Must Shift to a Risk-Based Cybersecurity Approach

Intrusion Detection Systems Simply Won't Cut It Going Forward

by Dan Verton
May 4, 2021
in Cybersecurity
SolarWinds: Why Companies Must Shift to a Risk-Based Cybersecurity Approach

SolarWinds is regarded as the widest-reaching cyber espionage operation against the United States government to date. Dan Verton discusses what we know so far and actions other businesses and organizations should consider in an effort to mitigate the effects of future attacks.

Nearly four months after the disclosure of the SolarWinds attack, we are continuing to learn more about the nature of the incident. Corporate leaders have testified at government hearings as lawmakers try to understand the full breadth and impact of the attack, as well as what cybersecurity shortfalls may have contributed to the situation. The hack is already considered the most substantial and widest-reaching cyber espionage operation against the United States government to date. As such, it’s worth taking a closer look to understand key takeaways to prevent a similar attack of this scale in the future.

First, SolarWinds demonstrated how critical it is for companies and organizations to have a full understanding of their supply chains and the potential vulnerabilities at each step of the process. In today’s security landscape, it is no longer enough to only have insight into your own organization’s cybersecurity posture. Of concern, a recent survey by Gartner found that in the past five years, nearly 90 percent of companies had experienced a supplier risk event but did not have enough awareness across the company or the level of maturity needed to mitigate the risk.

Editor’s note: As of publication, details of the SolarWinds breach are still coming to light. Beginning possibly as early as the spring of 2020, hackers believed to be connected to the Russian government gained access to IT management software known as Orion, developed by SolarWinds. This software is used by a range of companies and organizations around the world. Through the breach, hackers hid backdoor access capabilities inside Orion software updates. They were able to view a huge body of sensitive information at numerous government agencies and global corporations as a result. The breach was first detected by the cybersecurity firm FireEye last December. While it is known that hackers accessed information, their full motives and actions have yet to be determined.

SolarWinds Unveiled the True Scope of Supply Chain Vulnerabilities

Another key problem with supply chains is a lack of oversight. Robert Bigman, the former chief information security officer (CISO) at the Central Intelligence Agency, flagged on a recent podcast that there are currently no rules and regulations surrounding secure supply chains.

“When you go and buy a car, you have a thing called a Lemon Law. If something goes wrong, you can turn it in and get it adjusted and get a change, or even get a new car. We don’t have that type of law for cyber,” Bigman said. “We have no rules, no regulations for companies to build secure supply chains. We have no rules and regulations that require them to build secure code. It’s a free-for-all. And you’re really potentially the victim of companies who don’t act responsibly. And I’ll be honest with you, I think it’s the majority of them.”

This puts the onus on companies and organizations themselves to be proactive about protecting and managing their supply chains. To this end, security leaders at all entities need to be aware of security processes and protocols across their entire supply chain. It only takes one weak password or link in the chain to compromise all parties. This was evidenced by “solarwinds123,” a password that was leaked on the public internet that played a part in the cyberattack. Vendors or partners in your company’s supply chain could end up being an entrance into the dozens of other entities within their networks, regardless of the strength of your own organization’s cyber posture.

The Value of Risk-Based Cybersecurity

Importantly, when looking at the SolarWinds incident at a higher level, the attack showed why companies and organizations should shift toward a risk-based, intelligence-driven approach to cybersecurity. This is a departure from the reliance on intrusion detection systems that is evident throughout the industry. Both the number of cyberattacks and the level of sophistication of each attack are increasing, and a risk-based approach to cybersecurity can aid organizations in keeping up with today’s threats against them. Even the best vulnerability management program isn’t really addressing cyber risk. Did you know that more than 13 percent of all common vulnerabilities and exposures (CVEs) have a severity score between 9.0 and 10.0 (the highest possible value)? Of those 13 percent, 7,628 (or about 47 percent) are scored at 10.0. The question becomes: how can a security team tell one 10.0 from another? And how do businesses know they are focusing on the right ones?

Cyber risk quantification facilitates the prioritization of risks. We all know that cyberattacks will not be ceasing any time soon. In fact, they are likely to increase in frequency. So it is beneficial to have a process that helps in assessing which of the risks are most critical to an organization by ranking them in terms of their potential cost and operational implications.

The Security Community Is Realigning

The sentiment of shifting to a risk-based approach for cybersecurity has been echoed by leaders in the cyber industry, including Michael Daniel, a former White House cybersecurity policy advisor and CEO of the Cyber Threat Alliance. During a recent interview, he underlined the importance of evolving the way cybersecurity is viewed and discussed. “Cybersecurity is now a critical enabler for most businesses to continue operating,” Daniel said. “And it needs to be framed in that way. And I think that’s very much the place that we need to move … putting it in those business terms, framing it in those risk terms.”

If there is one positive takeaway from the SolarWinds attack, it is the encouraging response of the security community. As individual entities seek to strengthen their security postures and shore up their own defenses, moving to an environment of collaboration and information-sharing will be key. In this instance, we saw this collaboration from FireEye, as it stepped up and offered to share findings and information from its investigation. Additionally, players like Microsoft spoke up and advocated for a coordinated response among government and technology players. Moving forward, we will need to see this type of response to all large-scale attacks. We will need to ensure we are using all possible information at our disposal to prevent and mitigate the effects of future incidents.

As we look ahead, the organizations and companies that will be best positioned against future cyber threats will be those that take the time to proactively understand and secure all pieces of their supply chain and shift to a risk-based view of cybersecurity. After all, we know it is no longer a question of if cybercriminals attack a business, but rather when and what they choose to attack.


Tags: Cyber Risk
Previous Post

Great Women in Fraud

Next Post

OneTrust to Acquire Shared Assessments to Advance Third-Party Risk Standardization Globally

Dan Verton

Dan Verton

Dan Verton is a former intelligence officer in the U.S. Marine Corps and has authored several books on cybersecurity, including the 2003 groundbreaking work, “Black Ice: The Invisible Threat of Cyber-Terrorism” (McGraw-Hill) and “The Hacker Diaries: Confessions of Teenage Hackers” (McGraw-Hill). He most recently served as an intelligence advisor to the DHS First Observer Plus anti-terrorism awareness training program.

Related Posts

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

data minimization practices_w

Ransomware Threats Are Growing. How Can Boards Protect Mission-Critical Assets?

by Jim DeLoach
December 14, 2022

As the sophistication level of cyber attackers continues to rise, there’s probably not a business on Earth that isn’t at...

dirty words

For Cybersecurity Teams, ‘Audit’ Doesn’t Have to Be a Dirty Word.

by Troy Fine
December 7, 2022

Let’s face it: Nobody wants to be audited. For the average Joe, an IRS audit is a hassle (at best)....

Third Party And Vendor Risk Management For Financial Institutions

Third Party And Vendor Risk Management For Financial Institutions

by Aarti Maharaj
November 10, 2022

The marcus evans Third Party & Vendor Risk Management for Financial Institutions conference taking place in London, UK on 1-3...

Next Post
two figures shaking hands across line

OneTrust to Acquire Shared Assessments to Advance Third-Party Risk Standardization Globally

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT