Two distinct, but equally, devastating security breaches occurred within a month of each other this past winter even as the nation continued its long-running battle with COVID-19.
On Dec. 13, 2020, Reuters disclosed that a “a sophisticated hacking group backed by a foreign government stole information from the U.S. Treasury” and another federal agency. When the full picture emerged, investigators estimated that approximately 18,000 businesses and organizations had received updates to their SolarWindsOrion software that had been hacked and supplied with malicious code, with 200 of these customers determined to be compromised.
The second security breach occurred on Jan. 6, 2021, when hundreds of rioters broke into the U.S. Capitol to try to stop the certification of the 2020 presidential election. Beyond the immediate questions regarding the lack of security for the Capitol and its occupants, the attack blindsided companies where some of the demonstrators were employed, leading to unwelcome publicity and serious risks to these companies’ reputations.
The Need for Greater Vigilance
Both incidents highlight the diverse challenges facing cybersecurity professionals, said Phuong Nguyen, a Senior Manager at EY and an instructor in the Certificate in Cybersecurity Strategy program at Georgetown University. The SolarWinds breach illustrates the sophistication of cyberattacks and the need for even greater vigilance and expertise on the part of information security professionals. The Capitol riot shows how these experts must also monitor potential “insider threats” that could lurk within their own companies.
“Information security is becoming more and more relied upon, and the definition of a secure environment is broadening,” Nguyen said. “The Capitol riots and, obviously, SolarWinds are good touch points for showing how it’s broadening. Now it’s up to information security professionals to understand what is available to them in their toolkit to protect the enterprise from external and internal threats with executive stakeholder support. Organizations are not going to go military grade overnight, but are thinking, ‘How do we start monitoring bad behavior for rapid mitigation and not just be in react mode?’”
One challenge remains and that is getting the C-Suite onboard, Nguyen said. Even today many companies—including technology firms—don’t have a chief information security officer at the highest level to drive change and encourage support. This may explain why the first course listed in Georgetown’s certificate program (among six that must be completed within two years) is “Making the Business Case for Cybersecurity.”
And, the evidence shows, the sooner that case is made the better.
“When cyber-events happen that have actual material impact, that’s when the C-Suite asks: ‘Well, why didn’t we see this? Why weren’t we monitoring this?’” said Nguyen, who also teaches in Georgetown’s Master’s in Applied Intelligence and Cybersecurity Risk Management programs. “So the role of the chief information security officer is to try to get in front of that.”
The Threat from Within
There is also a growing focus now on insider threats—those that come from within the company through employees who have varying levels of access, said Nguyen, an expert in the subject who advises the implementation of advanced cybersecurity and insider threat programs for various Fortune 500 companies. These threats can be motivated by malicious, compromised, or unintentional behavior to commit theft of intellectual property, internal fraud, or workplace harassment.
Among the issues companies are exploring is whether, and to what extent, they should monitor employees’ professional and personal activity. It is a complex question that raises civil liberties and privacy issues as well as security ones.
Nguyen urges companies to engage key stakeholders within their organizations to explore these issues and pursue holistic programs that are commensurate to their risk appetite and culture.
“It’s still being defined, but companies are looking at formally building holistic insider threat programs,” Nguyen said. “If they allow their employees to conduct personal business on corporate assets, should they be aware of it, or should they stay in react mode and wait for a significant exposure to occur or the authorities to come knocking on the door and deal with the material and reputational blowback later?”