In late 2020, SolarWinds experienced a cybersecurity breach that exposed many Fortune 500 companies and US government agency systems to outside hackers. Many haven’t heard of SolarWinds and/or weren’t aware of this situation, but this is an important situation for any CIO, IT Director, business owner, or executive to understand.
First, it helps to understand what SolarWinds is. Essentially, SolarWinds is an IT network and application management company that hosts and manages their customer systems and infrastructure via the cloud. In addition, their offering includes IT service management, data management, hosting applications, and a variety of other IT infrastructure needs.
The interesting – and potentially risky – aspect of leveraging a service like SolarWinds is that it by definition has access to your systems. In other words, your applications, systems, and data may have strong security protocols, but that doesn’t matter if a third-party service accessing your systems (such as SolarWinds) exposes those systems to security breaches due to its own vulnerabilities. This appears to be what happened with many SolarWinds customers.
The problem experienced by SolarWinds? Outside hackers used their platform to hack into their customers’ core systems in data. In other words, they weren’t hacking SolarWinds because they wanted to get into their system; they did it because they wanted to use it as a sort of back door to other core applications of some of the biggest organizations in the world.
The video below outlines some of the lessons from the SolarWinds hack:
Most organizations host sensitive data in their systems. In addition to internal financial data, they typically host a variety of data such as customer orders, product information, employee information, HR files, supply chain info, and a plethora of other information and data.
The implications of data security are very real. In addition to the risks of exposing sensitive data to nefarious actors inside and outside your company, organizations need to adhere to regulatory requirements such as GDPR (General Data Protection Regulation) in Europe. For this reason, it is important to lock down your internal systems – as well as any third-party services or applications that may access those systems as well.
The SolarWinds hack raises an ongoing debate for many: are cloud ERP systems more or less secure than on-premise? It helps to first dispel some common myths.
First, on-premise systems are only as secure as your internal IT staff’s competencies and cybersecurity protocols. Large companies such as SolarWinds - as well as cloud ERP vendors such as NetSuite, SAP S/4HANA, Microsoft Dynamics 365, and others – are more likely to invest big money to protect their infrastructures and their customers’ systems. They simply have too much to lose by falling short and are also more likely to have world-class cybersecurity protections.
Second, any perceived benefit of on-premise is negated by cloud systems that may access your on-premise technology. With more of the top ERP systems moving to the cloud, it is rare to find a system architecture that is 100% on-premise. Cloud software bolt-ons indirectly expose on-premise systems to the risks of the cloud.
On the other hand, large cloud providers are more likely to be targeted than an unknown small or mid-size company. While they may spend more to protect their masses of customers, systems, and data, they are also under more pressure from outside hackers and potential cybersecurity breaches. The bottom line? Cloud systems aren’t going anywhere anytime soon, so it is important to learn to live with both the benefits and the risks.
One of the most overlooked cybersecurity risks is related to your own internal employees. Some risks are malicious in nature, while others are unintentional. In either case, it is important to recognize both the internal and external cybersecurity risks related to your systems, data, and overall infrastructure.
For example, many organizations fail to define and implement proper security profiles and controls in their business systems. Today’s systems are generally more flexible than ever, so it is critical that you tighten up processes and technology in a way that protects your organization from intentional or unintentional actions that can create problems.
The topic of cybersecurity is top of mind for many CIOs and business owners – especially in light of the recent SolarWinds breach and hack. It is important to assess your infrastructure, systems, and data to determine where the risks are and how you can mitigate risks.
Please feel free to contact me to brainstorm your cybersecurity situation with our team. Our cybersecurity team and I would be happy to be a sounding board as you continue your digitization journey!