If you haven’t already, you’ll soon be hearing about a recent hacking event related to a popular network management system known as SolarWinds Orion. Unfortunately, this will likely turn out to be one of the most important global events of 2020 (and that’s saying something), and it likely affects your organization — either directly or indirectly. Hopefully, your IT team is already aware of this and taking appropriate action, but it’s also important for CFOs to be aware of the potential organizational impact as well. Here’s some basic information so you’re prepared.
What happened?
A state-sponsored hacking group was able to insert malware into a popular SolarWinds Orion update that was distributed globally in March 2020. This malware “phoned home” to hackers, enabling them to take control of affected networks. Since the update came from the company and was digitally signed by SolarWinds, organizations could not know their software was compromised. In many instances, hackers were able to take full control, maintain their control, and go unnoticed for several months.
Since the update came from the company and was digitally signed by SolarWinds, organizations could not know their software was compromised.
Are you impacted?
The first question you should be asking of your IT group is: “Has the SolarWinds hack affected our organization?”
At first glance, it would seem that many organizations will be ok, as unless you’ve been running SolarWinds Orion on your network, you likely haven’t been directly affected. While this appears to be good news, your concern shouldn’t end there. Your organization and customer information may still be indirectly vulnerable to this issue.
What can you do?
First, identify if you’ve been running vulnerable versions of SolarWinds Orion on your network. If the answer is yes, your Incident Response Program should be immediately activated, and the Department of Homeland Security’s mitigation activities laid out in their Emergency Directive 21-01 should be initiated immediately. Consider working with legal representation to draft a letter to be shared with customers or vendors if requested to provide such information, and (depending on industry) notifying your regulators of the event and planned actions.
Assuming you weren’t directly impacted by this event, your next step should be to proactively reach out to all data-custodians, vendors, service providers, and consultants or contractors with access to your networks or data. Each and every one should be required to provide a formal response, indicating whether or not they’re vulnerable, why they believe they aren’t or are no longer vulnerable, any actions taken, and any further relevant information. All of this should be done post haste, formally documented, and incorporated into your vendor management program results for the year.
What now?
We are continuing to research this event and will be sharing updates as new information becomes available. If you have any questions, give us a call.