“Attackers only need to solve it once”: how cybersecurity raided the meeting room

Featured Sponsor

Store	Link	Sample Product
UK Artful Impressions	Premiere Etsy Store

Three days after being named to lead US software group SolarWinds, Sudhakar Ramakrishna received a phone call any CEO would dread.

The general counsel of the company had telephoned to warn him malware had been detected in updates sent to thousands of customers in the public and private sectors.

“My first reaction was really one of curiosity,” recalls the veteran technology executive. “I started visualizing what could have happened.”

Ramakrishna was not expected to take over until the following month but, given the severity of the attack, part of a cyber-espionage campaign the US government later blamed on Russia, he was quickly appointed to the SolarWinds board so as to be able to receive daily updates . Within days, he was reviewing his top 10 priorities for his new job to account for the radically changed circumstances.

Few CEOs experience such a cyberbaptism of fire, prompting the United States to set up a high-level task force to coordinate its response. Fewer still would respond as coldly. For leaders, cyber attacks “It seems to be much more personal [and] emotional” compared to other crises, according to Michael Smets, professor of management at the Saïd Business School, Oxford.

Even a mock attack can push executives to the brink. Luxembourg’s House of Cybersecurity organizes an intensive one-hour exercise for business leaders, called Room #42, to promote resilience to cyber threats. Twice, executives have “lost control,” even yelling at colleagues, says Pascal Steichen, who runs the cyber resiliency unit.

Such responses may reflect an exposed abyss a recent report that Smets and others prepared for Istari, the cyber risk management company owned by Singapore’s Temasek. All 37 CEOs interviewed for the study said the dollar has stopped with them cyber securitybut nearly three-quarters were uncomfortable making decisions about it.

What is obvious is that the threat is growing. Since the 2020 SolarWinds hack, dubbed Sunburst, hackers have managed to take the Colonial Pipeline network offline with a ransomware request, causing gas shortages in parts of the US, hacking into The Guardian newspaper’s internal systems, and forcing the UK Royal Mail temporarily suspend its international postal services. This month, USS, the UK’s largest private sector pension scheme, warned the personal data of around 470,000 members may have been exposed in a cyber attack on outsourcing group Capita.

You improve all the time but you are never completely sure. You don’t work from a position of fear, but constant learning and constant improvement

As experts point out, hacking is an asymmetric threat. “Attackers only have to fix it once,” says Kelly Richdale, director of the board and cybersecurity consultant. Steichen says Luxembourg’s simulator, which will look for flaws in a company’s systems, is modeled after popular escape rooms, except “you can’t escape, you can only fail.”

Senior leaders are increasingly realizing that if no system is completely protected from attempted breaches, then it’s not enough to focus only on technological responses. Experts say CEOs shouldn’t shift accountability onto their chief information security officer, or even their audit committee. Instead, they should treat cyberattacks as a strategic matter, to be handled at the highest level. Properly approached as a risk management issue, the threat can also be an opportunity to identify strategically important operations and even improve the business as a whole.

“You get better all the time but you’re never completely sure,” says SolarWinds’ Ramakrishna. “You don’t work from a position of fear, but constant learning and constant improvement.”

Regulators have helped put cybersecurity firmly on the agenda of boardrooms. The United States Securities and Exchange Commission, the Bank of England and European Central Bank are among the regulators who have increased their focus on cyber resilience over the past year. For example, an SEC proposal would require public companies to disclose the cybersecurity expertise of directors “if any.” “Not everybody [board] member must be a financial risk expert, but must be able to read a spreadsheet or P&L [profit and loss account]”, points out Richdale. Likewise, “the board needs to know the basics of cyberattacks and digital concepts,” a level of knowledge that many companies lack, she says.

Achieving or hiring this level of expertise is easier for larger companies, adds Mitchell Scherr of cybersecurity firm Assured Cyber ​​Protection: “In midsize companies, the board doesn’t know what questions to ask and the techs don’t they know what to provide to the board.”

This gap is particularly dangerous because it is often small and medium-sized businesses that inadvertently open the backdoor to larger targets for hackers, through so-called “supply chain attacks”. Sunburst was a classic, if particularly sophisticated, example because SolarWinds software had been installed by many customers (although the company estimates that fewer than 100 private companies and nine federal agencies were targeted). Another was last year’s attack on Australian health insurer Medibank. There, the hackers gained access to customer data with a stolen username and password used by an external IT service provider. Richdale said: “The perimeter of cyber [security] it has expanded”.

This places the problem directly on the desk of CEOs, whose role is to maintain a strategic vision of risks and opportunities that spans the entire supply network. CEOs and boards of directors are also best placed to assess reputational risk. Experts recommend that leaders are better placed than CISOs to identify the “jewels in the crown,” strategically important businesses or operations that require the highest level of protection. For a hotel, it might be guests’ passport details; for a spa, it could be customer health data; for a manufacturer, it could be intellectual property. Scherr recalls a Chinese company that hacked a start-up company under the guise of ordering its products. The attacker copied the target’s innovative technique and began manufacturing and selling the same items at a quarter of the price. Once companies have addressed the major risks, they can move on to cover any residual risk with cyber insurance.

Istari’s Manuel Hepfer says the push for greater cyber resilience can also offer opportunities to streamline processes. “The CIO came to present at an executive meeting and asked us how many servers we thought the company had,” a chief executive told Istari. “The lowest estimate in the room was four, the highest 250. The reality was more than 4,000. This was a stimulus for all of us to understand more. We realize that we spend millions every year on this type of technology, but we don’t really understand it.”

Istari has identified a “paradox of preparation”. Companies that said they were best positioned to withstand a cyberattack were less likely to be ready. Leaders whose businesses had been hacked have already said they were better able to rebuild, which Oxford’s Smets likens to the Japanese art of kintsugirepair broken pottery with gold.

Ramakrishna says he has rebuilt the SolarWinds culture based on transparency, collaboration and humility. “You won’t be able to solve all the problems by yourself. You may need help from the community,” he says. When asked to recommend other recommendations, he urges them to adopt the same “transparency bias” SolarWinds uses and to share knowledge of a cyberattack with their wider network .

How far to partner with rivals in a crisis is a decision likely only the CEO and board will be able to make. Most err on the side of secrecy. Steichen from Luxembourg says that 70% of companies that have run a Room#42 simulation do not seek external assistance to manage a cyber crisis. “Our general motto is: ‘Don’t suffer in silence,’” he says.

The SolarWinds mantra is “secure by design”. Ramakrishna describes it as a “forever project”. Could a Sunburst-style attack happen again? Ramakrishna points to recent breaches by “security-rich” companies, such as Microsoft, whose Exchange email program was attacked by alleged Chinese hackers in 2021: “It could happen to SolarWinds, any other company, regardless of its size, scope , resources,” says Ramakrishna. “What we can do is work together to reduce the likelihood.”