Takeaways From the Exchange Breach: Less Risk in the Cloud

By Ira Winkler, chief information security officer, Skyline Technology Solutions

In short:

• You’ve heard the arguments about why core IT services are still being run in-house, and you haven’t pushed back. Now, it may be time to force the issue.
• The unfortunate reality: Few IT organizations are able to make emergency software updates in a timely fashion.
• Data loss — whether financial or nonfinancial records — can have serious fiscal and reputational ramifications. Don’t let this crisis go to waste.

Last month, Microsoft announced a major vulnerability in its Exchange Server software — what Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency, called “a crazy huge hack.”

In brief: A sophisticated attacker, based in China, gained access to Exchange email servers in January and stole data from tens of thousands, if not hundreds of thousands, of organizations, including large and small companies, nonprofits and municipalities. No one knows exactly how many were affected, but a lot of CIOs are now spending significant time and money scrambling to find out if data was stolen or if malware is hiding on their systems.

Given the scope of the attack, we likely won’t know for a long time the actual extent of the harm. One thing we do know: Companies that use Exchange Online, Microsoft's cloud-based email and calendar service, are not scrambling. If your company runs Office 365, you did not have to take any action. Microsoft quickly and automatically updated its cloud software.

Running On-Prem? It’s Time for Some Conversations

If your organization has Exchange running in a server closet somewhere, make sure that your technical team has updated the software. Then, think seriously about outsourcing your email and any other in-house services you can. The finance function has a lot to lose if the company is compromised.

In my own discussions with cybersecurity professionals recently, I have been struck by the number of very large, very technical companies that didn’t have to scramble because they chose to outsource. If these firms, which have more than enough skilled staff to maintain their technical architectures, are using cloud versions of common software, you should ask why your company is choosing to do differently.

Your IT department likely has a variety of justifications for keeping technology in-house. They may argue that it’s less expensive and that they can better control costs. Running an application on your own hardware comes at a fixed fee, and you may have sunk investments in infrastructure. There’s no money budgeted for an outsourced option. They might argue that you have a full-time staff to maintain hardware and systems. If you outsource, what happens to them? And it goes on.

Some industries keep processes in-house due to legal concerns. For example, if a cloud provider maintains a service, law enforcement can subpoena the provider for information, and you may not have a say in, or even knowledge of, the proceedings. So law firms and media outlets, for example, may want to maintain some software in-house.

At another level, your CIO may contend — though not in so many words — that if you don’t trust the team to run basic software like email, then you can’t trust them to run applications.

Attackers Have Time, Money & Smarts

There are legitimate arguments for running some systems internally, generally around control, privacy, competitive differentiation and support.

Sure, cloud services occasionally have outages. The reality, though, is that these concerns rarely stack up against the operational efficiency, cost savings and security benefits of cloud. As a CFO, it is your responsibility to ask questions and help frame the discussion around cost/benefit. Yes, there’s a lot going on right now. But at the time of this writing, thousands of companies are being compromised every day because they failed to properly secure their Exchange Servers, long after the problem was announced.

Even reasonably large IT departments have a hard time staying on top of vulnerabilities. Then there’s the time required to plan how to fix problems, when to take down production systems and who will test the updated system to ensure it is working properly. None of these is a consideration when software is delivered as a service.

If your IT team believes that these are non-issues, let them justify that in terms of dollars and cents. Otherwise, my advice is to use this latest “crazy huge hack” to start the conversation about moving your software services to cloud providers.

Tips for Having ‘The Talk’

Be proactive by:

• Determining which applications you run internally that have cloud-based alternatives. IT should be able to easily generate a self-assessment of assets and processes that handle your critical data or that must be available for operations.
• Tallying the total cost of ownership — hardware, software, personnel, training, support contracts — of those applications compared with the cloud alternatives.
• Asking your internal team or a consultant specializing in security risk assessments to generate a report on the consequences of potential vulnerabilities in your in-house software and IT’s ability to stay abreast of threats and update software in a timely manner. What’s their time to patch systems, the impact of an outage and the process for scheduling upgrades?
• Quantifying the impact of a potential breach on each on-premises system.

With that data in-hand, leadership can perform a true cost/benefit analysis of moving various applications to the cloud.

While I, as a CISO, would welcome this conversation, I know of many CIOs and CISOs who could be offended by the implications of these questions. Should this be the case, you as a CFO should hold firm and inform them that you are responsible for managing all financial risks and optimizing expenses. If they start throwing around technical jargon, remind them that these systems impact operations, risk and finance and these critical concerns transcend the technology.

Hopefully, this won’t be an uncomfortable conversation, but if it is, it is likely an even more important talk to have, as technical leaders may not understand that “their” systems are a critical aspect of the organization’s financial health.

There is never a guarantee of security; however, cloud providers typically do a better job securing services than your IT team. This is not only OK to discuss — frankly, your company’s future health may depend on that conversation.

Finance leaders are expected to deliver insights and analysis to help make all sorts of critical business decisions. That includes budgeting for and prioritizing security and data protection measures.

Ira Winkler, CISSP is CISO for Skyline Technology Solutions and author of “You Can Stop Stupid.” By day, he performs espionage simulations and assists organizations in developing cost-effective security programs. Ira won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. CSO Magazine named Ira a CSO Compass Award winner as The Awareness Crusader.

Ira is also author of “Corporate Espionage,” the bestselling “Through the Eyes of the Enemy,” “Advanced Persistent Security,” “Spies Among Us” and “Zen and the Art of Information Security.” He writes for a variety of industry publications and has been a keynote speaker at most major information security events.

Ira began his career at the National Security Agency and went on to serve as president of the Internet Security Advisors Group, chief security strategist at HP Consulting, and director of technology of the National Computer Security Association. He was also on the graduate and undergraduate faculties of the Johns Hopkins University and the University of Maryland.