See our nonprofit COVID-19 resources
We're updating our site to improve your experience. We apologize for any issues that may occur.
The backdoor compromise of the SolarWinds Orion network management application is having a dramatic impact on the 18,000 organizations that installed the software with the malicious code in it. Already we know of at least 5 government agencies and a private company, FireEye, who have confirmed that their networks were compromised. According to Microsoft, a number of think tanks and NGOs were also impacted. Community IT Innovators is providing this SolarWinds Breach Updates for Nonprofits to start the conversation on next steps your organization may need to take as more information becomes available.
It is a sobering situation that an external threat actor gained persistent access to so many networks. Although the threat actors focused their espionage efforts on high value government and enterprise targets, it seems clear they had planned to maintain persistence in other networks for later exploits.
Unless you are a very large non-profit organization, it is unlikely that you have been directly impacted by this initial breach.
Nevertheless, there are important lessons to be learned from this incident and it is an important reminder of the importance of cybersecurity controls. If you do not have these controls in place at your own organization, we recommend implementing them as soon as possible.
As this compromise shows, it’s not a question of if your organization is going to be attacked, but when. Do you know what your next steps are? Do you know what steps your IT provider (in-house or MSP) will pursue? Don’t wait to find out.
It is nearly impossible to function as an organization without multiple vendors in many areas of tech. And your HR, database, cloud service providers, and other vendors also have a vendor supply chain. With so many systems in the cloud and supported by multiple third-party vendors, it is important to understand the protections your vendors have implemented to protect your data, and when and how they will communicate with you if you are exposed.
Talk to your organization’s insurance broker to discuss what coverage you have and how to determine what coverage you need. If your provider does not offer cyber-specific insurance, look for an insurance provider who does.
We’re seeing evidence that this is a very sophisticated attack that used a range of techniques to compromise a vendor’s trusted software. None of the controls in place at FireEye or Microsoft or the various government agencies were able to detect the initial compromise, which may have been in place since October 2019.
Nonprofit organizations often have a long way to go when it comes to securing their IT systems. That journey should focus on the basics. We detail a comprehensive list in our Cybersecurity Playbook
Close this window