It was recently revealed that SolarWinds, a prominent software company, experienced a major cybersecurity breach that impacted multiple high-level targets like Microsoft and multiple U.S. government agencies. The decision to attack a company that, among other products, sells remote monitoring software was like setting a bomb: waiting until the right moment, the shrapnel hit many targets at once. Organizations around the world are suffering from this attack, and there’s still more compromised systems to be found.
Next steps for small business cybersecurity post-SolarWinds
So what can you, as a regular person with a small business, do? We’ve complied seven steps you can take to feel more secure in your organization’s protection:
No more compromising on cybersecurity
Cybersecurity is no longer an accessory, upgrade, or option for organizations that are serious about growth and maintaining integrity within their industries. Your IT cannot simply be, “I’ve budgeted for a few computers this year, so security is covered.” Fixing or replacing a computer isn’t the same as proactively testing for weakness in your armor. And antivirus isn’t the “first defense” like it was in the past — it’s the last thing you want to alert you, because antivirus alerts mean someone is already in your system. It’s the equivalent of not having locks on your door but having an intruder alert set up in your bedroom.
Acknowledge that your organization can be compromised
Let’s all say it together: “my organization can be compromised.” Breathe. There, the difficult first step is out of the way. Now, what do we mean when we say that? It means that no matter what excuses you have in your head, there’s opportunities for hackers. You should always be prepared for the worst (while hoping for the best). You’re no SolarWinds, you’re too small to be on anyone’s radar? Different hackers hit different targets — some hacks or hackers specialize in small businesses because they’re easier to hack. You have a cybersecurity plan in place? Well, it still has opportunities for hacks. Yes, even a good cybersecurity plan has opportunities for hackers. But the best plans include mitigating factors that can help make your plan stronger. Your strategy should be set up in layers of security. Opportunities on one layer are blocked by other layers. And if the worst does come to pass, you’re protected with a mixture of encryption and backup.
Talk to an IT Services Provider and see if they can help
The best team to help you sort through all the complications of cybersecurity is an IT Services Provider that has a cybersecurity focus. Not all providers are alike, so make sure you scout out a few. If you’re in the NY/NJ or MD/VA areas, Integris might be a good fit and we’d love to chat. If you’re not, you can ask other businessowners and see if they have recommendations. Or just open up Google and take a look at some of the local providers and their websites.
Plan (and don’t dread) your cybersecurity budget
IT has costs attached, and a new cybersecurity strategy may have larger up-front project costs. What many companies don’t understand is that IT is an investment — a worthwhile investment, but an investment, nonetheless. There’s value to it that you may not initially put a sticker price on, like increased productivity via a streamlined system using products like Microsoft Teams, reduced downtime with a stronger system and regular backups, the peace-of-mind knowing you’re protected from things like ransomware attacks. One of the biggest impacts of this year in cybersecurity is that compliance and security can actually help an organization to make money. Showing that you have firm IT policies that are enforced through a certification or documentation improves your organization’s reputation for doing things right, and that helps you to gain more business. Having help from your Managed Services Provider will also take the pressure off your organization to try and figure everything out. Remember that compliance, security frameworks, and protection are a team exercise. You cannot shoulder all of this yourself. It is better to have someone that can translate everything that you need so that you can properly budget for change. A Managed Services Provider (MSP) can help you navigate technology in a superior fashion.
Know your industry and its IT security compliance requirements
If you’re in a particular industry, you know that you might be holding very sensitive information. In some cases, you may have a legal obligation to protect this information. Your IT provider should offer compliance consulting to make sure your business is protected. Health care organizations need to conform to HIPAA regulations. New York insurance, banking and financial services need to follow The New York Department of Financial Services (NYDFS) cybersecurity regulations. Organizations that handle or accept contracts from the Department of Defense need to deal with the new Cybersecurity Maturity Model Certification (CMMC). The consequences can be very high — in the case of CMMC, failure to meet these controls, provide a certification, or maintain the certification allow agencies within the government to immediately terminate a contract. Make sure you stay on top of industry regulation and avoid being caught by surprise.
Understand that your policy is a living document
A trap we’ve seen organizations fall into is that they’ve agreed with everything else on this list, made strides to start a strong cybersecurity platform, and then… let it fall by the wayside, as time passes and other important things come down the pipeline. It’s just policy. It’s just a document in a folder somewhere. It’s outdated, anyway. Don’t fall into this trap! If you get to this point, you’re so close. Don’t throw it all away in the final stretch. Your cybersecurity policy should be an integral part of your organization. It shouldn’t be ignored, and it shouldn’t be bent. It should be referred to on a regular basis, and it should be reviewed and updated when needed.
Know your vendors
If nothing else, the SolarWinds breach exposes something we’ve known for a long time. Organizations need to maintain a list of vendors and start asking their vendor’s questions. For example:
- Does the vendor have compliance needs? How are they meeting those needs?
- Do they know what compliance your organization needs to meet?
- What reports do they have available?
When you call a vendor, they shouldn’t be upset that you’re performing due diligence to protect your organization. They should be helpful in allowing you to achieve your goal for cybersecurity. Remember that just because an organization is not required to maintain a specific level of compliance doesn’t mean that they don’t have to follow a security framework.
The bottom line
The SolarWinds hack is alarming, but there are still concrete options for your business to protect yourself from incidents like this. We hope this helps enlighten the steps you can take, or at least gets you to begin thinking about cybersecurity. If you’re curious to see what Integris could do for your organization, check out our approach to IT services and cybersecurity, and feel free to contact us.