The SolarWinds hack, which hit government agencies and private companies alike, is startling in its scope, but as a business owner you'd do well to consider how it got as big as it did. The lessons already learned from this event should prove instructive and help prevent future incursions.
As a small business with limited resources, you will likely look to standards in your sector or to market leaders for best practices -- including the selection of technologies that will help secure your business. When shopping for software to protect your small business, you might be impressed by a customer list that includes large, well-known, successful companies. And who could blame you? Giant companies have entire departments set up to assess a product or service. That's both how SolarWinds got so big and how small businesses got wrapped up in its recent hack, which is likely to be seen as the most significant cyberattack in modern history.
You might think none of this applies to you, but you'd be wrong. In our increasingly interdependent, digital world, hackers often don't waste time trying to breach a fortified global enterprise when easy-to-hack vulnerabilities lie in their supply chain. And that could happen anywhere--whether it is Target breached through its HVAC vendor, an oil company breached by malware that came from the Chinese restaurant menu downloaded by their IT department for the evening takeout, or an IT software provider, like SolarWinds, breached to gain access to our nation's digital infrastructure and operations -- all real-world examples.
If large, sophisticated organizations with big budgets and huge IT departments have difficulty securing their global operations, then how can small businesses secure their operations? Here are four things you can do:
1. Assess and act.
Prioritize your assets and determine how you might protect your data. You cannot protect all assets equally; prioritizing them allows you to know where to invest resources. Additionally, you should know what functions make economic sense and, from a security perspective, what to keep or build in-house and what functions should be outsourced. A common step in small-business security is often moving data storage to the cloud. As you determine what to outsource, it is important to remember that outsourcing a function does not outsource your responsibility.
2. Manage your risk.
You should have a list of requirements, based on your own security and risk management profile, that you require of all of your vendors and third-party suppliers. For example, you should ask how they protect their data and what protocol they follow for protecting your data. The fundamental tenet of cybersecurity is risk management. As a small business, you need to determine which risks you can tolerate and which ones you cannot.
3. Focus on employees.
With limited resources, small businesses should focus on the resources they do have--specifically, employees. The foundation of good cybersecurity is human behavior, not technology alone. Human beings, your employees, can be your greatest vulnerability or they can be a force multiplier for security in your organization. A trained, educated, and informed workforce can be a powerful and resilient asset in any enterprise. Start by educating each employee on their responsibility and accountability for security in your organization. Specifically, train your employees on strong authentication. Strong authentication is using a passphrase with a minimum of 15 characters to log into your network and making sure you use different passphrases for personal and business use. Almost all major cyberbreaches occur through a compromised password. One of the access points to SolarWinds had the password solarwinds123--stunningly simple and extremely easy to hack. In addition to strong passphrases, ensure that your employees use multifactor authentication whenever possible.
4. Back up your data.
Throughout the pandemic, we have seen a dramatic increase in ransomware. Ransomware holds your critical data hostage to a ransom. Once ransomware has infiltrated your system, it can be extremely difficult to remediate quickly and effectively. Paying a ransom can be expensive, and you are not guaranteed the recovery of your data if you pay. The first step you should take to prevent ransomware is to ensure strong authentication on all of your networks so the hackers can't gain access. The second important step any enterprise--large or small--should take in preventing ransomware is to back up your critical data on a separate network. Then commit to testing that backup regularly, so you know it is current and the backup works.
None of these steps individually is a silver bullet for combating cyberthreats. But, together, they will improve your cybersecurity, harden your enterprise through resilience, and make it more difficult for potential hackers to access your networks. Whenever we invest significantly in resources or employees, we look to standards and referrals for guidance. But we should use those referrals and standards as guidelines and not as scripts for action. Remember, you are the one responsible for the security of your organization. You will be held accountable for whatever choices you make. In the wake of the SolarWinds attack, every organization must assess its priorities and risk management appetite, and take basic actions to create a foundation and culture of security for their enterprise, large or small.