6/3/2021
Answering burning questions from victims of cyber events
DEAR RAMEY:
My organization recently recovered from a devastating cyberattack. We lost access to our information for a few days. Root cause analysis determined that the threat actor compromised the credentials of a vendor and published terabytes of our data on the dark web. I am very concerned about my job because the board is asking pointed questions about our vendor management program and overall cybersecurity posture. Will I be terminated for this fiasco? — CHIEF “INSECURE” OFFICER
DEAR CHIEF “INSECURE” OFFICER:
If ever there were a tough question…
While I’m not an attorney or Nostradamus, I can tell you examining recent cyberattacks may indicate no. However, many boards are very concerned about reputation. It’s the core of how much and fast businesses grow. And when boards feel the business’s reputation and brand are being threatened, they want immediate action to right the wrong and move the business past the event.
Public closure of an event can take many forms, such as terminating the individual(s) responsible for failure to perform their duties, offering complete transparency to the investigation, or offering to reimburse or provide coverage for impacted parties, to name a few.
So, I hate to be the bearer of bad news, but yes, you could be terminated for this. The loss of revenue and brand impact of the attack can be very hard to recover. Yes, insurance helps, but it only recoups what may have been lost, not necessarily what will be lost.
Let’s examine some recent cyberattacks.
UBER TECHNOLOGIES GRAY HAT HACK
In late 2016, Uber suffered a data breach when a hacker was looking for ways to exploit unknown vulnerabilities within Uber’s technology. The hacker was able to find and exploit a vulnerability and download millions of records containing sensitive information on contract drivers for Uber. When the new CEO, Dara Khosrowshahi, took the helm in 2017, he chose to disclose the incident to the public. Along with disclosing the breach, Khosrowshahi also terminated the chief security officer, Joseph Sullivan, for not disclosing the incident and paying the hacker $100,000 to delete the data.
FIREEYE SOLARWINDS SUPPLY CHAIN ATTACK
FireEye disclosed in December 2020 that it believed it was hacked by a state-sponsored group. Findings from FireEye’s investigations identified SolarWinds’ Orion product as the root point of entry. Once the company publicly disclosed this information, additional public and private organizations became aware of the attack and could investigate their own systems. FireEye also announced that several of its “red team” tools were stolen during the breach and immediately provided thorough guidance and indicators for security teams to update their detection software in order to identify the use of the tools within their networks. During Microsoft President Brad Smith’s, testimony to Congress, he praised FireEye for its transparency about its investigation and findings.
Meanwhile, SolarWinds, who was the epicenter of the supply chain attack where hackers successfully added their own program code to the Orion software, is currently repositioning itself to be security focused. As part of its response to the incident, SolarWinds hired Chris Krebs and Alex Stamos to assist with overhauling its security program, including improving the security surrounding its software development life cycle (SDLC). Krebs formerly led the United States Cyber Infrastructure and Security Agency (CISA); Stamos was previously the chief security officer of Facebook.
WSJ’S CYBERSECURITY FOCUS
On December 8, 2020, The Wall Street Journal reported on “What to Do – and What Not to Do – in the Aftermath of a Cybersecurity Attack.” Among the article’s valuable insights, the author Rob Sloan highlights “don’t play the blame game.” While removing top executives was once seen to demonstrate immediate change in strategy to the public this move can have an adverse effect. Sloan continues by highlighting the need to maintain core knowledge of the business’s infrastructure and systems. He even cites Stevan Bernard, CEO of Bernard Consulting LLC, who believes “fear and uncertainty will not be your friend when everyone else is in the midst of trying to survive or recover.”
Examining the events with SolarWinds and Uber, we can agree that unauthorized access is bad, access to confidential or sensitive information is worse, and the public isn’t forgiving when organizations aren’t transparent about cyberattacks. Both situations were handled entirely differently. Uber decided to take a position that goes against the conservative interpretations of data privacy laws while SolarWinds is focused on rebuilding its brand with a security-focused approach. In both scenarios, the organizations need to improve their security. But it’s how they approach security, transparency, and ethics that will allow them to recover from brand and reputation damage.
So, when it comes to your job. While you should be concerned once the dust settles, right now, what matters most is doing everything in your power to help the board steer the organization through the incident.
Assuming Sloan is right, minimizing brand and reputation damage hinges on the business’s ability to maintain core knowledge as well as share timely information with external stakeholders. If you assist your board with putting the business in the correct position to investigate the event, recover, and build a more secure future, you shouldn’t have to worry as much about your future job security.
Arete IR Director Stephen Ramey is here to answer burning questions from victims of cyber events. If you have a question, please don’t hesitate to reach out at [email protected]. Arete wants to help by sharing our insight and experience.