Balancing Crime, Error, and Expectations
Written by Robert Vescio, SSIC Chief Analytics Officer and Inventor of X-Analytics, and Christopher Hetner, Managing Director of Strategic Initiatives, Risk Executive, and Board Director
It is an unfortunate truth – especially in cyber space – that mistakes happen. Despite the efforts a company may take with policies, procedures, technologies, and executive instinct, mistakes will be a part of a company’s journey. Whether the company can shake off the mistake and weather the storm is entirely based on its resilience.
Okta, like too many companies before it, was a victim of a crime. In January 2022, an online extortion group called “Lapsus$” breached Okta via a third party. As a result, this cyber incident impacted 2.5% of Okta’s customers (which is 366 customers). For clarity, an Okta customer isn’t a single US citizen, it is one of 15,000 organizations that uses Okta to control access to their applications and data.
Okta’s customers include some of the world’s largest companies and US government agencies, and the criticism of Okta has been sharp.
“Just how good (which is to say, bad) is Okta’s security if its systems can be so easily outwitted by a bunch of kids?” – The Motley Fool, “Why Okta Stock Dropped Again Friday”
“Too many strikes, we’re out…Okta’s handling of the security incident adds to mounting concerns.” – Market Watch, “Okta stock sinks toward 2-year low after double downgrade at Raymond James”
“Multiple security professionals who spoke with Forbes said they were outraged by the lack of disclosure from Okta…” – Forbes, “Fury As Okta – The Company That Manages 100 Million Log-ins – Fails to Tell Customers About Breach for Months”
Okta Inc Stock Price (Google Finance) Showing Stock Dip Following Breach Notification
Before passing too much judgement on Okta, let’s take a moment to deconstruct this cyber incident and look at the problem from different perspectives.
Deconstructing the Okta Lapsus$ Breach
The Okta Lapsus$ breach was not the first nor the last of its kind.
This was a supply chain incident: The breach appears to have originated in one of Okta’s third parties. The third party indicated was Sitel, which provides customer support services to Okta. To be more specific, the identified breached computer reportedly belonged to an engineer working for Sykes, a subsidiary of Sitel. So as told, this would actually be a 4th party breach, impacting the 3rd party as well as Okta.
This is a commonly exploited protocol incident: The attackers used the Remote Desktop Protocol (RDP) to gain access to Okta and take the necessary screenshots to prove their breach. RDP is one of several commonly exploited protocols. Companies and their entire supply chain ecosystems need to place better controls around these protocols.
This was an incident that included a superuser account: Lapsus$ screenshots indicate they accessed a superuser account, which could have given them the ability to manipulate Okta’s customer accounts. However, Okta claims they enforce least privilege, and the breached account did not give Lapsus$ the ability to create nor delete users, download customer databases, or access source code. If this is true, then critics and shareholders should give Okta credit for implementing least privilege controls.
This was an incident that Okta could have communicated better: Yes, Okta could have been more transparent. In the age of early notification requirements and expectations, Okta could have communicated initial concerns back in January, provided updates and reassurances in February, and final clarification and next steps in March. Even though this did not happen, this does provide Okta a true opportunity to learn from its mistakes and right its course.
It is easy to jump on the bandwagon and criticize Okta. However, what would that solve and what would be learned?
Instead, let’s look at this incident from different perspectives to draw the right impressions of the impact on different stakeholders.
Let’s start with Okta’s customers. They depend on the services from Okta to maintain an element of strong cybersecurity, which also means they trust Okta. Part of this trust is related to Okta managing cybersecurity and operational integrity, and part of this trust is related to transparent communication about cybersecurity and operational missteps and incidents. Clearly, Okta could have been forthright with its communications. Let’s hope they learn from this experience. On a positive note, Okta had implemented least privilege and account management controls in place which prevented this incident from being much worse.
Now let’s consider Okta’s executives and corporate directors. Even though Okta is a cybersecurity company, we cannot assume that the executive team and corporate directors are all cybersecurity experts. They depend on in-house and outside counsel, cybersecurity experts, and forensics experts to guide them, which ultimately comes down to deciding when a cyber incident is significant enough to communicate externally. Even though many expect early notifications, we must also understand that premature notifications can cause panic and confusion. In this case, the third party’s (Sitel’s) forensics team needed a month and a half to conduct its investigation and deliver a report, which took Sitel 12 more days to deliver to Okta. Once Okta had the details, they communicated externally. Perhaps this is an opportunity to better understand the cyber risk that each supplier brings to the table to further improve their vendor management and supplier assessment processes and negotiate better indemnification and warranty clauses with their suppliers.
Lastly, let’s consider Okta’s shareholders. This is the most vocal group. They are clearly upset over this cyber incident because there was an extreme adverse reaction that caused a –10.7% change in share price in 1 day. However, many cybersecurity incidents only cause a temporary impact on share price that tends to normalize within a month. In this case, share price was already improving in six days. So, maybe this incident was not as material from a shareholder perspective as the critics made it out to be. In any case, Okta could use this opportunity to improve their understanding of their financial cyber expected loss, to define their risk tolerance in relation to materiality, and to improve brand through transparent communications.
Okta Inc Stock Price (Google Finance) Showing Recovery Days After Breach Notification
SEC Disclosures of Cyber Risk Transparency
From a macro lens, this incident highlights the larger topic of cyber risk transparency and disclosure. Economically, cyber risk is emerging as an existential threat to the global economy. Business leaders are increasingly challenged by shareholders and regulators expecting transparency on the financial exposure of cyber risk in addition to technical issues for known cyber incidents, and the financial materiality of existing cyber risk to the enterprise.
In March 2022, the United States Securities and Exchanges Commission added to their 2018 guidance - Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure – that “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting…” This rule underscores the need for organizations to dedicate resources to understand and be ready to disclose the financial relevance of cyber risk to the business – just like organizations provide for other material enterprise risks.
By evaluating cyber risk financially, business leaders bring the full gamut of risk treatment options to the table – acceptance, risk mitigation through capability improvement, and risk transfer through cyber insurance.
Cyber mistakes will happen. All companies experience cyber incidents – whether due to malice, mistakes, or errors. The foundational question is “how well will your company respond?” To answer that question there are related questions to consider: How cyber resilient is your company? How much financial exposure from cyber risk exists because of your supply chain ecosystem? If there is a supply chain related cyber event, how much leverage do you have over your suppliers to speed up investigations and get answers? Was the cyber incident material and should we disclose it?
Shareholders, investors, and regulators are becoming increasingly savvy in understanding the nature of cyber-attacks and are demanding greater transparency – both pre and post cyber events – to understand the financial risks in play. As such, companies are going to need to answer the call by improving their approach and tooling around understanding cyber economics.
The Okta incident gives us all an opportunity to learn and adjust behaviors accordingly. Before being overly critical, just remember that your company could be the next one in the news. There is honor in being steady and understanding.