Prevent a Supply-Chain Type Attack from Hitting Your Small Business
Original Information Courtesy of inc.com
What to learn from what may be the most significant cyber-attack in modern history.
The major lesson: Don’t let it happen again.
The lessons learned from the SolarWinds Hack, which hit government agencies and private companies alike, should prove instructive and help prevent future incursions.
SolarWinds Hack: What You Need to Know
Hackers inserted malicious code into an update of SolarWinds’ software. Their software lets organization see what is happening on its computer networks. To date, around 18,000 SolarWinds customers have installed the tainted update onto their systems.
The hackers knew that by infecting software that is loaded onto more than one system, their attack would gain the most traction. This is what is considered the supply-chain style attack.
What this means for small businesses is that hackers do not always have to trick individual targets, they can rely on a supply-chain attack, since it infects software under it’s assembly.
1. Assess and Act
You cannot protect all assets equally; prioritizing them allows you to know where to invest resources.
Prioritize your assets and determine how you might protect your data. You cannot protect all assets equally; prioritizing them allows you to know where to invest resources. Additionally, you should know what functions make economic sense and, from a security perspective, what to keep or build in-house and what functions should be outsourced. A common step in small business security is often moving data storage to the cloud. As you determine what to outsource, it is important to remember that outsourcing a function does not outsource your responsibility.
2. Manage Your Risk
As a small business, you need to determine which risks you can tolerate and which ones you cannot.
You should have a list of requirements, based on your own security and risk management profile, that you require of all of your vendors and third-party suppliers. For example, you should ask how they protect their data and what protocol do they follow for protecting your data. The fundamental tenet of cybersecurity is risk management. As a small business, you need to determine which risks you can tolerate and which ones you cannot.
3. Focus on Employees
Human beings, your employees, can be your greatest vulnerability or they can be a force multiplier for security in your organization.
With limited resources, small businesses should focus on the resources they do have–specifically, employees. The foundation of good cybersecurity is human behavior, not technology alone. Human beings, your employees, can be your greatest vulnerability or they can be a force multiplier for security in your organization. A trained, educated, and informed workforce can be a powerful and resilient asset in any enterprise.
Start by educating each employee on their responsibility and accountability for security in your organization. Specifically, train your employees on strong authentication. Strong authentication is using a passphrase with a minimum of 15 characters to log into your network and making sure you use different passphrases for personal and business use. Almost all major cyber breaches occur through a compromised password. One of the access points to SolarWinds had the password solarwinds123–stunningly simple and extremely easy to hack. In addition to strong passphrases, ensure that your employees use multi-factor authentication whenever possible.
4. Back up Your Data
Any enterprise–large or small–should back-up their critical data on a separate network.
Once ransomware has infiltrated your system, it can be extremely difficult to remediate quickly and effectively. Paying a ransom can be expensive, and you are not guaranteed the recovery of your data if you pay. The first step you should take to prevent ransomware is to ensure strong authentication on all of your networks so the hackers can’t gain access. The second important step any enterprise–large or small–should take in preventing ransomware is to back-up your critical data on a separate network. Then commit to testing that back-up regularly, so you know it is current and the back-up works.
None of these steps individually is a silver bullet for combating cyber threats. But, together, they will improve your cybersecurity, harden your enterprise through resilience, and make it more difficult for potential hackers to access your networks. Remember, you are the one responsible for the security of your organization. You will be held accountable for whatever choices you make. In the wake of the SolarWinds attack, every organization must assess its priorities, risk management appetite, and take basic actions to create a foundation and culture of security for their enterprise, large or small.
Helping Business Grow