The SolarWinds Breach has maintained headlines due to the impact on organizations across the market as court hearings begin heating up for the company. The breach has changed many opinions in cybersecurity since its discovery in December 2020. One of them being Congress’ viewpoint on mandatory breach reporting.
In March 2020, the Solarium Commission, a high-level study group, recommended federal law implement a mandate on notifications. This shows the direction the cyber industry was moving even before the breach. Now, the SolarWinds breach has shed a new light on this topic and boosted its priority as the investigations uncover more information.
Earlier this year, a House bill passed requiring the Department of Homeland Security to create a cyber incident reporting program with oversight from the CISA (Cybersecurity & Infrastructure Security Agency). However, the Senate denied the bill after the Chamber of Commerce called for rejection. Their explanation of denying the bill was how it “undercuts public-private cybersecurity collaboration”.
An altruistic viewpoint is if incidents must be reported to a government agency, nothing will go undetected and it will allow full transparency on breaches. On the other hand, anything bringing awareness to the need for cybersecurity and how impactful breaches can be is beneficial.
Forcing the reporting of breach notifications is a customer forward approach but brings up many concerns around the definition of a breach. A breach is a legal definition unique to different state and compliance frameworks and very well may take days/weeks to fully investigate the breach that would extent past mandatory reporting requirements. This is something at the federal level that has not yet been set in stone across the United States.
Another important aspect to cover in this situation is the fact third-party services can be a major concern for supply-chain or vendor remote access. Threat actors are completely aware of the fact they can utilize third-party vendors to infiltrate many different organizations at once. This is exactly what happened in the SolarWinds breach. If your organization is utilizing a third-party management software or service, understand the risks that come along with it. Understand how third-party software interacts with your organization, or better yet, leverage the expertise of a trusted security monitoring firm to handle the relationship between your organization and the third-party vendor.
At SpearTip, we understand the need for outsourced IT, MSP, and third-party support. SpearTip has specifically created a security solution for these IT vendors to partner with that allows our ShadowSpear® Platform to protect their clients through SpearTip’s Channel program. Like we previously mentioned, the access to many different networks and organizations is what makes third-party vendors a prime target for malicious threat actors.
Since we haven’t seen the last of the fallout from the SolarWinds breach, it’s always reassuring when you’re engaged with the right security firms before a breach occurs. No executives want to be stuck in the spotlight for failing to notify affected customers or patients that their sensitive data was accessed and published by malicious threat actors. Enduring a cyberattack is already a large enough obstacle to overcome in itself, so don’t allow it to ruin the trust of your customers, patients, and supporters. Be responsible, be transparent, but most of all, be proactive.