It describes itself as the #1 accounting software in the US for construction companies, and by all appearances it is a good, useful software. All kinds of construction-related businesses use it, including those in the HVAC and plumbing fields, among others.
But recently, Foundation Accounting software clients experienced cyber breaches via this 3rd party software. To sum up, cybercriminals used a default administrator setting on the software to infiltrate users’ systems. These companies likely did not even know about the issue until Foundation reached out and made them aware that their systems had been breached.
This situation is not an outlier. You can’t conclude that a software company is slack or neglectful just based on situations like this – this is a common occurrence. In fact, some improved cyber hygiene on the part of the client themselves might have prevented the criminals’ access. And that’s what the primary takeaway here is – business owners cannot control what their 3rd party software manufacturers do (or fail to do). You need software for your business, and you buy the one that fits your industry and circumstances best. However, there are elements of this situation that you CAN control.
Do you need it?
First, before you purchase a software, make sure that you need it. This sounds silly, but often we find that business owners might do better to use a tool they already have access to. While the shiny new software seems like it would help your business, sometimes you are buying an expensive, exceptionally robust tool when a simple tool like Teams, Word, or Excel could serve the purpose more efficiently. Of course, this isn’t always true, but we see use of “overpowered” tools enough that it is worth asking if a particular software is necessary and effective for your circumstance.
Vet the Vendor
Another simple step is to vet your vendors. Now, some businesses may have access to tools that help measure security ratings for various vendors. But many won’t have those tools, nor do they have the time and resources to do a deep dive on the issue. However, even a simple Google search is worthwhile as you decide on which software to use, if you have decided a software is necessary for some particular aspect of your business.
Have it professionally installed
This is important: yes, spend the extra dough to have a professional install the software for your company. Often for SMBs, we find that in order to cut some corners, some employee with seeming tech savvy has been appointed to install software for the whole company. Know that you take significant risks when you do this – the process is more complex than simply clicking on the “Install” button that pops up. Professional IT techs can navigate compatibility and security issues that your Impromptu IT fella may not be able to see.
In fact, this seems like one reason why the Foundations hack above was successful – the default administrator account was breached. An IT tech will be more likely to change problematic default settings, or at least will understand credentialing and access management issues. Yes, it will be more expensive to pay your IT MSP to install software all over your business. But it is likely to save you time and headaches.
Privileged Access Management
Finally, you want to make sure that your user accounts have access only to data, programs, and processes appropriate to their role in the organization. Again, an SMB’s Impromptu IT guy is less likely to think about this. Not every person in the organization needs access to every database, all product information, or any intellectual property that may be floating on your network. As above, it is worthwhile asking your IT Managed Service Provider for guidance on this, as what this looks like varies by industry and by individual company.
So, 3rd party software breaches happen regularly, and for users of those softwares, there may not be much you can do on your end after the breach happens. Even your IT Department or IT MSP likely will not be able to identify such security problems with your software. In the case of Solar Winds, one of the more famous hacking events, the users of the software did nothing to “deserve” the breach, and only the investigation of an advanced cybersecurity firm discovered it. However, you do want to make sure you are doing your due diligence! Make sure you are purchasing effective software AND that it is professionally installed and managed. This can help mitigate some of your risk and exposure in the Wild West that is the cyber world.