The CIOs, IT Directors and CISOs for large companies have enough to worry about without having to take on the mountains of security holes infesting small- and medium-sized businesses around the globe. But a new report shows a direct connection between SMB security flaws and those of their Fortune 1000 neighbors.
In effect, this is just a new twist to the age-old and well-known supply chain security weak-link challenge. That's where a company is subject to getting burned by the security problems of any company with which it shares a supply-chain. An e-tailer, for example, can get hurt by viruses or a trojan horse that infected a delivery service, manufacturer, CRM firm or—hello, irony—an SMB security firm.
The report comes in the form of an annual security package from Cisco, released in late January. (The report requires you supply some personal information, but I cover much of the pertinent information here.) "SMBs show signs that their defenses against attackers are weaker than their challenges demand. In turn, these weaknesses can place SMBs’ enterprise customers at risk. Attackers that can breach an SMB network could also find a path into an enterprise network," the Cisco report said.
The report details what is already known, which is that the security processes of many small businesses are atrocious. But by reminding enterprise IT execs of the contagious nature of this risk, Cisco reminds IT of their difficult task of enforcing security policies with companies they don't control.
Just because IT doesn't control those small companies—to be honest, does IT even control its own company's employees? I know: a topic for another day—does not mean they can't exert strong influence. Yes, I mean they can be threatened with the loss of your revenue should they resist.
This means that you can certainly dictate security operational conditions with all of your partner contracts. Is it practical, though, to enforce such dictates? Of course, but you don't need to universally enforce them. You merely need to do spotchecks and to let all partners know when you've caught—and terminated—one of their fellow partners. The message will get through.
Those contracts should give you the right to do unannounced inspections of their facilities, their software and their network. Don't forget the very long tail of your interconnected supply chain. The smaller a partner company is, the more likely they will outsource a large percentage of their IT and marketing functions. Bottom line: You must insist that partners enforce these same rules with their own partners.
For example, a delivery partner needs access to your network to coordinate deliveries. And that small company agrees to your strict network rules, all designed to prevent the introduction of viruses. But unbeknownst to you, this delivery service has a bookkeeper visiting once a week. And that bookkeeper plugs his/her thumb drive directly into one of their desktop machines—which happens to also be connected to your network. (Shades of the end of "There Was An Old Woman"?)
Instead of random inspections, there's also the liability threat. That's where you tell contractors that if your network suffers any kind of a breach that is eventually traced back to the partner's system, they will be held liable even if the dollar amount of that liability exceeds the value of the partner contract. That will get their attention at contract-signing time.
We're not just talking about virus and other cyber creepy crawlers that sneak from their system to yours. One of your biggest assets when it comes to your partners is one specific intellectual asset: the knowledge of how to get into your network, what your network can do and any specific access credentials and procedures.
If a cyber thief hits your SMB supplier, they might steal those credentials and sit on your network, observing and waiting for the moment to strike. And all this time, it will look to your people like it's an authorized supplier doing its thing.
But the potential attackers might go a different route. For the actual attack, they might want to not leave a trail of geeky breadcrumbs to that particular supplier. Once in control, they might want to do more damage to more company partners before that SMB realizes it has been infiltrated. Therefore, they could just as easily examine the password and other credentials and use that knowledge—on top of the exact path used—to make educated guesses about some of your other credentialed users and try and impersonate them instead.
This all assumes bad actions happen to your SMB partner without their knowledge. But what if this is treasonous activity with their knowledge? What if it's an employee of this SMB contractor who decides to try and steal and sell your data to one of your competitors?
Yes, there are so many ways that lax security performed by your SMB partners can become your problem. Putting the CEOs of those companies into the hot seat with you isn't a bad way to go.