What to Do In regards to the SolarWinds Hack
Federal authorities are now convinced that Russia is behind a cyberattack that is so massive and serious that they either won't or can't go into details. I am not sure which is worse. The small amount of information available can be found on every major news site, so I will not reprocess it. Instead, I'd like to offer you a strategic approach to dealing with an immutable law of 21st century life: "There are only two types of business: companies that have been hacked and companies that don't know they have been hacked."
A little historical context
The idea of protecting business intelligence is as old as business itself. Since the Italian mathematician Luca Pacioli published his treatise on double entry bookkeeping in 1494, accountants have been writing in ink. Nothing is deleted in a duplicate entry system. When a mistake is made, an inversion is made to correct it. The goal is accuracy, consistency and a secure information chain. In the past, accounting journals and books were so valuable that they were locked in safes every day at close of business.
Fast forward to the emergence of our online world. The divisions needed e-commerce, they had to collect all kinds of data and link it to the company's books. IT was asked to take something that was literally locked in a safe every night and find a way to make parts of it accessible. What could possibly go wrong?
While this is a gross oversimplification, the metaphor is valid and provides a good mental model for a simple and effective strategy to combat the most serious vectors of social engineering and cyberattacks.
Classification of your information
The US government has three levels of document classification: Confidential, Top Secret, and Top Secret. All other documents are "unclassified" by default. This means that anyone who can access it can read it. If you want to know exactly how the government classifies documents, google them. There are about a million writings on the subject.
What you need to think about is the hierarchical value of your data. What does "top secret" mean in your organization? What is "secret"? What is "confidential"? Do you have other levels What information needs to be protected at all costs and what information would you like to see publicly available online?
If you don't have a document hierarchy, you'll need to create one. You can't protect everything – really top secret information can be kept top secret, but there is a real cost. So do your research and create clear guidelines for your document hierarchy. The best I've seen are super simple to understand and easy to execute. This is a workflow and process project. Bring your employees in the field of information management at an early stage and turn this into solid group work. You can benefit from working with a risk management or cybersecurity advisor.
There are several proprietary document processing tools that can be used to scan the work product and determine its classification. There are all kinds of privacy and big brother problems with this type of technology, but it's an option to consider.
Protect your data
Once you've implemented a document hierarchy, it's time to choose an encryption scheme and storage solution. This is another job that qualified consultants can be of value in.
The strategy is simple. You will invest appropriately to protect documents and information that you choose to protect. They let everything else enjoy the shared protection that commercial systems offer.