Business Resilience in Light of the OKTA Security Breach
It’s time to get serious about Business Resilience…
Transparency in the cybersecurity market is critical to building client confidence, which requires full business resiliency. Detection and Prevention and Correction…
With a public announcement last week, OKTA, a global leader in multi-factor authentication, acknowledged after several months, the exposure of over 350 clients to a security hack in January 2022.
LAPSUS$, the hacker group behind the attack in January communicated to OKTA about the breach, only to have the company apparently ignore the message from the group. A few months later, the attack group exposed OKTA to the public by disclosing the breach. Only then, this week did OKTA acknowledge the breach and the impact to their client base.
Many industries spoke out publicly and openly criticizing OKTA leadership for failing to disclose the breach months ago.
Read Amit Yoran, CEO of Tenable, open letter to OKTA here.
Companies build trust with demonstrated business resilience
Every company is expected to be transparent to their clients and partners when issues arise. We take this particularly seriously as a cybersecurity company. After all, clients depend on our technology to protect their entire business operations, revenues, and product secrets.
OKTA isn’t the only technology company that has been affected by security breaches. Clearly, OKTA chose not to disclose in a timely manner. Other companies, such as Microsoft, took a better approach to communicating this event. Similarly impacted, Microsoft released a statement detailing the approach to risk management means the possession of the code would not benefit the hackers even if they had accessed it.
Microsoft communicated quickly and openly about the breach and the impact on their internal systems and user community. The company’s risk management approach to breaches should serve as a proper example for other companies to follow.
Make business resilience a priority
Manage the balance between prevention, detection and corrective action. Business resilience requires all three…
OKTA’s delayed announcement should serve as a wake up call for organizations to better understand their ongoing risk management and expectations for business resilience. Organizations that invested millions of dollars in cybersecurity technology often lose the balance between detection, prevention and corrective actions in achieving risk reduction and resilience.
Organizations become too dependent on one adaptive control like endpoint detection and response (EDR) while neglecting other security controls currently are set up for prevention and correction, arguably the two most important components of your business resilience plan.
Understanding the C1RISK Strategy
Again, business resilience is the marriage of detection, correction and prevention. This trinity of actions must be balanced and unbroken. Without one, the other’s fail. Think of it this way…
Too much Detection – You’re likely spending too much money on controls that you can’t afford to implement or issues you can’t afford to fix.
If too much Corrective – then you’re spending too much money you’re not taking enough risk
If no Preventative – then you will have the same or more problems occurring, and reoccurring, and recurring.
Finally, a critical foundation to the above formula is a platform that enables you to continuously monitor, evaluate, prioritize and act based upon your data from detection, and your subsequent correction and prevention.
For more information on C1Risk’s business resiliency solutions, visit us at C1Risk.com