You may have heard it said on Wall Street, data is the new oil. If you look at the companies behind the Stock Market’s recent record highs, the ones with the highest valuation, they all have one thing in common – data-driven revenues.
Which is why, from all reports, the suspected Russian hack of the omnipresent SolarWinds’ flagship Network Monitoring platform Orion may be the most expensive hack in history. The hack was not to violently disrupt, but to quietly steal – a fortune in data. Protected government data, sensitive private data, financial data, and corporate data, from 18,000 companies, financial institutions, and government agencies was laid bare for a period of over 6 months. The damage and cost is yet, if ever, to be determined.
Much has been written about the importance of security and hardening the systems against hacks and attacks, and how costly the stealing of data and disruption of business can be. But organizations that moved to just “comply” with the bare minimum HIPAA, SOC, and PCI guidelines had no defense against this sophisticated attack that used the very tools of secure network monitoring to perpetrate a hack and heist of an untold mountain of valuable data.
Interestingly it was FireEye, themselves a cybersecurity firm, who first discovered themselves to be hacked, and not through debugging code. As security experts, they intuitively understand that software tools alone can’t catch everything. Rather, secure processes implemented and managed by trained people, in sync with secure tools, are what keep your data and systems secure. It was a “login from new device” alert that tipped off the security experts at FireEye that something wasn’t right, and an investigation ensued. After it was discovered that code from an update to the SolarWind network monitoring platform had been hacked, they immediately knew the hack wasn’t just on them, but everyone, everywhere, had been compromised.
And that’s not an exaggeration. On an earnings call back in October, SolarWinds CEO Kevin Thompson bragged how, “We don’t think anyone else in the market is really even close in terms of the breadth of coverage we have,” he said. “We manage everyone’s network gear.”
So the lesson from 2020, and the resolution for 2021, is to not just lean on the bare minimum of compliance, which a company does to keep itself out of legal entanglements, but fully embrace security: tools, processes, and people, as a means to protect the most valuable thing your company owns, your data.
For a free consultation to discover whether your organization is truly compliant, and most importantly, secure, using people, processes, and tools, get in touch with us today.