Written by Jeannette E. Garcia, San Antonio Business Journal
In late December, a massive third-party cybersecurity attack on a supply chain vendor was discovered. Hackers inserted malware into Austin-based IT management software company’s SolarWinds Corp.’s Orion platform earlier that year.
Approximately 33,000 SolarWinds (NYSE: SWI) Orion users were made aware of the cyberattack and the company shared with them “mitigation steps, including making available a hotfix update to address this vulnerability in part and additional measures that customers could take to help secure their environments,” according to a Dec. 13 document filed to the U.S. Securities and Exchange Commission.
The Business Journal spoke to c-suite members of two Texas-based cybersecurity companies — Andy Pilato, Chief Information Officer of San Antonio-based CNF Technologies, and Cherise Esparza, Co-Founder and Chief Product Officer of Houston-based SecurityGate.io — for their insight on how businesses could protect themselves from another attack.
Cybersecurity awareness within a company is particularly crucial in a time when hackers are more likely to “take advantage of companies and people” as we are “distracted” with items such as current events, the Covid-19 pandemic, and remote work, Esparza said.
Routinely Run Vulnerability Assessments
“By routinely monitoring networks and workstations, strict access control, and routinely conducting self and third-party vulnerability assessments, these will usually reveal attacks vendor organizations [such as SolarWinds] do not notice with day-to-day operations,” Pilato said.
Depending on size and a budget of an organization would determine how often one could conduct these assessments, however, at minimum it is recommended to conduct one of these assessments “at a minimum once a year,” Esparza said.
Hire a Third-Party Vendor to Assess Your Security Procedures
Pilato said companies may consider hiring a third-party assessor to review or create their own set of security procedures with added supply-chain considerations.
“The additional benefit of having outside security help is the evidence of due diligence; even if a company does it all right, they still might be compromised. But if they have documentation showing due diligence, then they may have less liability for whatever damage occurs,” he said.
Change Your Passwords
The starting point for the SolarWinds attack was a third party’s email account where the default password secrets had never been changed. Simply changing your password could help protect you, Esparza said.
Focus on Your Employees
“We’re constantly seeing data that shows cyber risk strategies are imbalanced, overly focused on technology and under-invested in people and processes,” Esparza said adding that her company recently released an update to its software product platform called People, Process, Technology, or PPT, Insight that has a fully automated capability to identify and manage cybersecurity risk in human processes “so it would be easier for leaders to see any imbalance in their [cybersecurity] strategy and understand how to correct it.”
Cyber awareness training is also necessary, so that people not to click on harmful links in their email and get phished, Esparza said.
Enforce Your Cybersecurity Policies
“Oftentimes, we overlook or neglect the enforcement of the cyber policies that exist to protect the company… policies can be written procedures, tools can be in place, but if it’s not enforced or not followed in practice, it’s all for nothing,” Esparza said.