CYBERSECURITY BUDGET FAILURE!

Time and time again, I see failed information security programs due to having no budget, or a very minimal budget....until something happens, then it is the ROLEX of budgets (at least for a few months).

Often, these are because the leader of the information security programs (if they even have one) are not able to successfully transfer the understanding of the risk in terms of ROI, profits and actual/potential loss.

We can say: "We will stand to lose x Millions if we experience breach a, b or c.".

This is almost immediately taken as a "The Burgeons are coming...aahhhhh" - and that statement gets filed in the backs of executives minds alongside Ancient Aliens and a Curse at Oak Island.

In this article, I am going to take you through a ride we are all VERY familiar with - and can be translated into any For-Profit company - through the beans:

In December of 2020 - SolarWinds was reported as having been breached. At the beginning of 2020, SolarWinds (SW) showed the highest quarterly income of $247,000,000.00. By the end of 2020, SW reported a quarterly earning of $39,000,000.00. A total loss (without accounting for steady growth rates) of over $200,000,000.00 in a single quarter.

In an annual revenue perspective, SW went from almost 4.9 BILLION in 2016 to a negative 709.195 MILLION in 2022....SW went from making BILLIONS to losing MILLIONS.

Part of the loss came from shares. SW went from Earnings Per Share (Basic EPS) of $1.01 to -$5.78 - or over 600% loss in shares, which shareholders were left with that damage.

In the graphics from www.MacroTrend.com we see the above, plus the line "Income From Continuous Operations" stating $116.064 MILLION (2020) to -$929.413 MILLION (2022) (that is a change of more than 1 BILLION).

The thing about this particular case is that this is both software and MSP. Numerous companies, such as TeamLogic IT , provided the SW product suite as a software solution for their customers as MSP/IT Support companies. To note, this is NOT the fault of the MSP - they are an MSP, not an MSSP - thus they were providing services utilizing any software that was competitive and representative of their business, and SW fell perfectly into that category.

What the "F" does this do for me?

Answer: Here is a very well followed security event of an org that did seemingly EVERYTHING wrong. Just as "Jumping The Shark" came from "The Fonz" in the 1970's, SW has brought forth the term: "Blame It on the Intern".

What does a seasoned information security practitioner see from the SW breach?

• solarwinds123 as the password shows no AD policies implemented to enforce all 4 character types (abc ABC 123 !@#)
• "Intern had access" shows that roles were not developed (at least properly) via active directory policies. (Least Privilege ring a bell?)
• Either no, or improperly configured, Intrusion Detection System (IDS)
• Either no, or improperly configured, Intrusion Protection System (IPS)
• Integrity scans over the past 9 months were not being accessed, or even initiated? (the updates created became infected before being deployed to the SW users via update services) In laymen terms, the size of the update file was different from creation, than it was to deployment.
• IF a policy existed for passwords, it was not even enforced. Not AD technical policy, but corporate policy - and/or an accompanying standard.
• Mandiant (part of Google Cloud) first reported the findings that led to the discovery of SW - which reports allege that the "infection" had been making changes to the update service packages for approximately 9 months.

If you are a bean-counter, it is not hard to assume something happened at SW after March 31st, 2020. The quarterly gains had been steady and climbing, until June 6th, 2020 - suddenly froze, then dropped by around $140 MILLION (difference in just one Q). Can we assume that SOMETHING happened after the March 2020 report internally (9 months prior to Mandiants' report)? We would expect 3-9 months for customers to find a replacement solution to the infected SW solution they are/were on, which would be on-par with the drop in Quarterly Earnings Report March 31st, 2021:

Budgets speak volumes - not just reported annual or quarterly revenue numbers, but the spending.

Translating to the CFO, CEO and Board of Directors:

#Ransomware is not "just a loss" of the payment, but WILL cripple your organization by VASTLY reducing the amount of customers, immediate market share and ability to acquire more customers - if any additional customers at all.

I estimated (personally) SW was to file for bankruptcy within 6-12 months from the Mandiant released details - either by defaulting, or by force.

The total cost, so far, to its customers is reported to be between 750 BILLION to 3.5 TRILLION, depending on the various sources still flooding the internets.

So....your org will not give YOU the budget you need to update systems, enable services, activate scanning and logging, providing competent HAKs (Hands At Keyboards)? Bring this information to them, and ask if THEY want to fail creating excuses, rather than setting an example? Just assemble this information to make sense based on your industry, organization and market.

It is YOUR narrative.....then when you transfer that risk to your C-Suite and BoD...then it is THEIR narrative. And there is no golden-parachute when a company fails....no money to give, no money to give.