A year ago, the business world entered 2021 still reeling from the catastrophic SolarWinds attack that impacted thousands of organizations and put software supply chain risks on everyone’s radar — from government officials to enterprise CEOs to small business owners.
To say it was a watershed moment would be an understatement. Considered one of the most damaging data breaches in history, SolarWinds’ long-term impact continues to be tallied. The attack highlighted inherent weaknesses in software supply chains — many exacerbated by the global pandemic — and showed us just how far attacker innovation has come. It kicked off a series of events that would define 2021 and became the lens through which all subsequent cybersecurity incidents are viewed. Yet as we enter 2022 — the “post-SolarWinds era” — has anything actually changed in terms of how organizations protect themselves? We recently polled a small group of enterprise security professionals to find out. *
What (If Anything) Has Changed Since the SolarWinds Attack?
According to our research, the cybersecurity community has mixed feelings about where things stand a year later. The impulse is to say that organizations have collectively emerged stronger and more prepared for what’s ahead, but that may not actually be the case.
What’s clear from our findings is that organizations are very aware of supply chain risks: 86% of organizations either “strongly agree” or “somewhat agree” that the supply chain continues to be a vulnerability, while 88% either “strongly” or “somewhat” agree that we’ll likely see an increase in sophisticated attacks like SolarWinds.
“I think that the SolarWinds attack was eye-opening, emphasizing critical risks associated with the software supply chain. I believe supply chain risks were treated with somewhat lower priority until this attack, and now are elevated in importance. Greater awareness and understanding of these risks definitely make us work harder to be secure.”
– Privileged Account Management Professional, Global Financial Institution
There’s broad consensus on the need to embrace a Zero Trust model — and overall mindset — to reduce risk: 62% either “strongly agree” or “somewhat agree” that their organization is moving toward Zero Trust since the SolarWinds attack. Meanwhile, 98% agree that implementing strong Identity Security policies and controls that restrict privileged access to Tier 0 systems will help them make this shift to Zero Trust by reducing exposure and enabling earlier detection.
“I believe that the SolarWinds case has shown that Zero Trust policies should apply not only to internal/external users but also to third-party suppliers. The threat has been described before, but there was no such a case that impacted so many companies before.”
– Anonymous Respondent
In some cases, this heightened awareness of supply chain vulnerabilities has translated to action: 20% “strongly agree” that their organization has closely examined their supply chain for vulnerabilities and attack points and has taken action to mitigate risks.
“We started defining risk criteria for different types of suppliers’ services such as supplier and customer dependencies, critical software dependencies and single points of failure.”
– Anonymous Respondent
But unfortunately, in many organizations, things haven’t changed much at all:
- 42% “strongly disagree,” “somewhat disagree” or “do not know” if their organization has defined risk criteria for the critical software dependencies in their organization’s software supply chain.
- When asked if their organization validates third-party code and software before using them, 35% either “strongly disagree” or “somewhat disagree.”
- 32% of respondents either “strongly agree” or “somewhat agree” that their organization underestimates the effect an attack like SolarWinds can have.
- As a result, approximately one-quarter (26%) do not believe that, or do not know if, their organization is more equipped to defend against similar attacks since SolarWinds.
“A year later and still the same challenges.”
– Information Security Engineer, Large Financial Institution
Where to Go from Here?
Strong supply chain security must be more than a resolution this year — it must become a reality. A starting point is simply acknowledging the fact that any identity – human or machine – within your organization could be a target. With this “assume breach” mindset, you can focus and prioritize your efforts on stopping threats from compromising identities and breaking the privileged attack chain to protect your organization’s most valuable assets.
The time for action is now because, as one senior systems engineer at a large healthcare organization put it, “This story is far from over.”
*CyberArk data is based on an informal survey conducted with a set of security professionals based in the United States and Europe, sample size <100. Free-form survey responses have been edited for length and clarity.