Beyond SolarWinds: 7 Next Steps for Business Cybersecurity


December 22, 2020

It was recently revealed that SolarWinds, a prominent software company, experienced a major cybersecurity breach that impacted multiple high-level targets like Microsoft and multiple U.S. government agencies. The decision to attack a company that, among other products, sells remote monitoring software was like setting a bomb: waiting until the right moment, the shrapnel hit many targets at once. Organizations around the world are suffering from this attack, and there’s still more compromised systems to be found.


Next steps for small business cybersecurity post-SolarWinds

So what can you, as a regular person with a small business, do? We’ve complied seven steps you can take to feel more secure in your organization’s protection:


No more compromising on cybersecurity

Cybersecurity is no longer an accessory, upgrade, or option for organizations that are serious about growth and maintaining integrity within their industries. Your IT cannot simply be, “I’ve budgeted for a few computers this year, so security is covered.” Fixing or replacing a computer isn’t the same as proactively testing for weakness in your armor.   And antivirus isn’t the “first defense” like it was in the past — it’s the last thing you want to alert you, because antivirus alerts mean someone is already in your system. It’s the equivalent of not having locks on your door but having an intruder alert set up in your bedroom.


Acknowledge that your organization can be compromised

Let’s all say it together: “my organization can be compromised.” Breathe. There, the difficult first step is out of the way.   Now, what do we mean when we say that? It means that no matter what excuses you have in your head, there’s opportunities for hackers. You should always be prepared for the worst (while hoping for the best). You’re no SolarWinds, you’re too small to be on anyone’s radar? Different hackers hit different targets — some hacks or hackers specialize in small businesses because they’re easier to hack. You have a cybersecurity plan in place? Well, it still has opportunities for hacks.   Yes, even a good cybersecurity plan has opportunities for hackers. But the best plans include mitigating factors that can help make your plan stronger. Your strategy should be set up in layers of security. Opportunities on one layer are blocked by other layers. And if the worst does come to pass, you’re protected with a mixture of encryption and backup.


Talk to an IT Services Provider and see if they can help

The best team to help you sort through all the complications of cybersecurity is an IT Services Provider that has a cybersecurity focus. Not all providers are alike, so make sure you scout out a few. If you’re in the NY/NJ or MD/VA areas, Integris might be a good fit and we’d love to chat. If you’re not, you can ask other businessowners and see if they have recommendations. Or just open up Google and take a look at some of the local providers and their websites.


Plan (and don’t dread) your cybersecurity budget

IT has costs attached, and a new cybersecurity strategy may have larger up-front project costs. What many companies don’t understand is that IT is an investment — a worthwhile investment, but an investment, nonetheless. There’s value to it that you may not initially put a sticker price on, like increased productivity via a streamlined system using products like Microsoft Teams, reduced downtime with a stronger system and regular backups, the peace-of-mind knowing you’re protected from things like ransomware attacks.  One of the biggest impacts of this year in cybersecurity is that compliance and security can actually help an organization to make money. Showing that you have firm IT policies that are enforced through a certification or documentation improves your organization’s reputation for doing things right, and that helps you to gain more business. Having help from your Managed Services Provider will also take the pressure off your organization to try and figure everything out. Remember that compliance, security frameworks, and protection are a team exercise. You cannot shoulder all of this yourself. It is better to have someone that can translate everything that you need so that you can properly budget for change. A Managed Services Provider (MSP) can help you navigate technology in a superior fashion.


Know your industry and its IT security compliance requirements

If you’re in a particular industry, you know that you might be holding very sensitive information. In some cases, you may have a legal obligation to protect this information. Your IT provider should offer compliance consulting to make sure your business is protected.   Health care organizations need to conform to HIPAA regulations. New York insurance, banking and financial services need to follow The New York Department of Financial Services (NYDFS) cybersecurity regulations. Organizations that handle or accept contracts from the Department of Defense need to deal with the new Cybersecurity Maturity Model Certification (CMMC). The consequences can be very high — in the case of CMMC, failure to meet these controls, provide a certification, or maintain the certification allow agencies within the government to immediately terminate a contract.  Make sure you stay on top of industry regulation and avoid being caught by surprise.


Understand that your policy is a living document

A trap we’ve seen organizations fall into is that they’ve agreed with everything else on this list, made strides to start a strong cybersecurity platform, and then… let it fall by the wayside, as time passes and other important things come down the pipeline. It’s just policy. It’s just a document in a folder somewhere. It’s outdated, anyway.  Don’t fall into this trap! If you get to this point, you’re so close. Don’t throw it all away in the final stretch. Your cybersecurity policy should be an integral part of your organization. It shouldn’t be ignored, and it shouldn’t be bent. It should be referred to on a regular basis, and it should be reviewed and updated when needed.


Know your vendors

If nothing else, the SolarWinds breach exposes something we’ve known for a long time. Organizations need to maintain a list of vendors and start asking their vendor’s questions. For example:

  1. Does the vendor have compliance needs? How are they meeting those needs?
  2. Do they know what compliance your organization needs to meet?
  3. What reports do they have available?

When you call a vendor, they shouldn’t be upset that you’re performing due diligence to protect your organization. They should be helpful in allowing you to achieve your goal for cybersecurity. Remember that just because an organization is not required to maintain a specific level of compliance doesn’t mean that they don’t have to follow a security framework.


The bottom line

The SolarWinds hack is alarming, but there are still concrete options for your business to protect yourself from incidents like this. We hope this helps enlighten the steps you can take, or at least gets you to begin thinking about cybersecurity. If you’re curious to see what Integris could do for your organization, check out our approach to IT services and cybersecurity, and feel free to contact us.

Nick McCourt is a vCISO, CISSP at Integris.

Keep reading

Small Business Cybersecurity Guide: Tips from Top Consultants

Small Business Cybersecurity Guide: Tips from Top Consultants

If you've been putting off cybersecurity investments for your small company, the time to invest is now. There's never been a more critical time to address your small business cybersecurity. Consider these facts: The average cost for a data breach for a US company in...

Four Social Engineering Hacks You Need to Prevent in 2024

Four Social Engineering Hacks You Need to Prevent in 2024

In the first quarter of 2024, Statista reports over 963,000 unique phishing sites worldwide were detected, collectively sending out billions of spam emails a day. Is this number scary? You bet. But it's the growing sophistication of these social engineering attempts...

Updating Your Bank’s Security Training for the Age of AI

Updating Your Bank’s Security Training for the Age of AI

How much could AI-driven models like Copilot for M365, Google Gemini, or Apple Intelligence improve the productivity at your bank? The jury is still out on that one, but initial experiments place the overall AI-driven productivity gains for the US economy at between 8...