In several important ways, the SolarWinds hack is unique: few companies have the same level of software dominance at the highest levels of government and industry or merit the kind of targeting from a state sponsored APT group.
In a broader sense, they’re facing a similar reality that many other companies find themselves in following a bad breach: scrambling to determine the full scope of their security failures while facing increased costs from insurers, heightened scrutiny from government regulators and a loss of trust from their customers and other stakeholders.
We know breaches can devastate a business financially and taint their brand in the eyes of the public, but a survey of 1,000 Americans from cybersecurity firm Varonis earlier this year sheds additional light on how the public perceives a company following a data breach. That perception can depend on a number of factors, including what they sell. Retail stores and hotels where IT is one component of an otherwise largely brick and mortar product or service suffered the least, with 42 percent and 20 percent of respondents respectively saying they were likely to shop at those businesses again even after they were breached. Companies that tend to rely more on digital or software-based services were judged more harshly, with banks (17 percent), social media sites (14 percent) and rideshare services (7 percent) seeing substantially lower rates of repeat business after potentially exposing customer data.
If technology and storing customer data are ancillary or complimentary parts of your business, it can be easier to come back from a bad breach, said Andrew Gilman, President and CEO of CommCore Consulting Group, which works with breached companies on crisis communications strategy.
“If it’s the sole thing you do, then obviously you could have a more precipitous drop” in confidence from stakeholders and the public, he said.
One example the survey cites of a business winning back the trust of customers is Target, which was widely criticized for the way it handled a 2013 breach and saw its CEO fired, but also used the incident to conduct a widespread reevaluation of its security. While data from BrandIndex showed that Target took a substantial hit (54 percent) in consumer perception in the year following the incident, they had recovered most of those losses by 2018.
But Target could also could fall back on the strength of its overall brand and a long history of successfully serving their customers needs, qualities that can also play a big factor in restoring a company’s pre-breach reputation.
“How much do you have in the goodwill bank account?” Gilman asked. “In the PR world, we often say you need three deposits for every withdrawal. So, the more I work with you, the more history I have with you, the more things have gone well, the more likely I am to understand -- not forgive -- the damage and continue working with you.”
While nearly every breach is unique, Gilman said the first things he tries to establish in the wake of a security incident are what is known and unknown about the incident, which employees, executives and outside consultants will make up the response team and determining what to do if and when law enforcement joins the conversation. Often, it’s senior members of the IT team, legal, the chief information security officer, other members of the C-Suite and outside consultants such as himself that make up the core team. Sometimes depending on the affected parts of the organization or data, members of HR or internal comms staff will also be brought onboard.
There’s a running joke in the cybersecurity industry about how often companies fall back on boilerplate statements in the wake of a breach, including the uniform use of the phrase “we take the security and privacy of your data seriously.” As cliché and hollow as this comes across sometimes, Gilman said companies are often discouraged by law enforcement or their legal counsel from sharing any information or statement, something that often gets interpreted by clients, stakeholders and the general public as admitting you are “guilty as charged.”
Expressing understanding and empathy at the costs of a breach is an important part of regaining trust, but only if it’s paired with meaningful actions or steps that put substance behind those claims.
Many cybersecurity experts have praised FireEye for the way it has handled its breach by promptly informing the public and regulators like the Securities Exchange Commission, acknowledging that their penetration tools were stolen and publicly releasing indicators of compromise to detect unauthorized use of those tools in the wild.
They were also able to use the details of their own breach to forensically track what turned out to be a massive, widespread, foreign-directed cyber espionage campaign that touched top government, military and industrial organizations. Target used their own breach as an opportunity to switch security strategies, relying less on “buying security” through expensive tools and software and focusing more on fundamental but often overlooked best practices, like configuration and tuning.
Meanwhile, SolarWinds has received criticism from some cybersecurity experts for the way they’ve communicated with the public about the details behind the incident, how it’s impacted their customers, what security failures may have led to the malicious code being inserted into their software update process and what they’re doing to course correct and improve security.
Chris Roberts, virtual CISO and advisor to a number of companies and agencies that are responding to the hack, said the software provider’s delayed remediation activities, inability to answer relevant questions from customers and tight-lipped approach to discussing any identified failures stand in stark contrast to companies like FireEye and Microsoft, who have gone out of their way to release actionable information designed to help companies triage in the face of an ongoing crisis and call for improvements in the overall cybersecurity ecosystem.
Click here to register for the SC Media Virtual Conference on the APT threat landscape
“When you’ve got other companies putting out more information than you are [about your breach], you have a problem,” said Roberts during an interview with SC Media Editor in Chief Jill Aitoro. “Their FAQ was terrible, it was written…between somebody in marketing and somebody in legal. They didn’t answer the questions properly, it avoided basically giving any information. They didn’t take it on the chin, they played the old game of ‘well we’re going to deflect until we know."
The end result is a loss of trust and confidence not just from current and potential customers, but also large chunks of the cybersecurity community that is responsible for evaluating the security risks of products to their less technical c-suite bosses who set purchasing strategy. Roberts thinks the damage to SolarWinds reputation has been so significantly that “the only way they recover from this is handing their entire codebase over to individuals in the [cybersecurity] community” for a public security audit.
If an organization in viewed as showing disregard for its customers’ data or putting its own immediate financial interests above their stakeholders, it can overshadow many other aspects of the incident response. Questions about insider trading have emerged after the Washington Post reported that two major investors, Silver Lake and Thoma Bravo, sold a combined $286 million in SolarWinds stock on Dec. 7, days before the breach became public and the company share price lost more than a fifth of its value.
The trades happened shortly after CEO Kevin Thompson, who also reportedly sold $15 million in company stock a month before, resigned. Both Silver Lake and Thoma Bravo have released statements denying they had foreknowledge of the compromise at the time of the deals.
One of the less obvious impacts from a bad breach is how it impacts a company’s insurance rates. Jeremy Turner, a security engineer and head of threat intelligence at cyber insurance firm Coalition, told SC Media that their internal data indicates companies with an outstanding claim related to a cyberattack can expect to see their deductibles double and premiums to increase by an average of 30-50 percent following the incident. In some cases, they are placed in higher risk categories that make it harder to get offers for coverage.
“I can tell you 100 percent that the insurance market is reacting very strongly to this, there are significant rate increases across vast swaths of industry or even all policies in general for some carriers and that’s sending shockwaves through the market,” said Turner, who clarified that he views this as “unfortunate” and “not fair” and that Coalition has declined to take this approach with their policyholders.
In the case of SolarWinds, insurers have to take into account not only the impact on the company but also its vast customer base. SolarWinds told the SEC that 18,000 customers installed the malicious update, while FireEye CEO Kevin Mandia has said that “probably only about 50 organizations, somewhere in that zone, were genuinely impacted.”
If, as early reports indicate, the compromise was part of a straight espionage campaign by hackers working for the Russian government, there is less risk of that data being exposed to the broader public in a way that is particularly damaging for a company’s liability. The Equifax hack, for example, is believed to have been carried out by hackers aligned with the Chinese government. The personal data of nearly 150 million Americans that was pilfered has yet to show up for sale on the dark web the way it might for a ransomware attack or other forms of e-crime.
For companies that are able to confirm their level of compromise, the most important thing insurers look for in a response is “is addressing the root cause.”
But they must also contend with the very real possibility that the hackers may have used their initial access into organizational networks to create other backdoors for future operations down the line. That record of persistence from APT groups and ambiguity about which companies are actually compromised creates layers of uncertainty and risk that must be calculated.
With “SolarWinds as a company and FireEye as a company, I certainly sympathize because while they are the headline, they’re certainly not the only companies that are compromised right now,” said Turner.