Lack of security in small companies means big risk for the enterprise

"I've been in the security business for 25-years. The industry spent the first 20 of those developing perimeter security products. Then five years ago, we simply let everybody in, building an ecosystem of third-party vendors and service providers that are now part of our federated enterprise," says Mo Rosen, COO, Xceedium.

Once attackers enter these small organizations, they access the large enterprises those small companies serve. The trust relationship that big enterprise shares with these small vendors manifests itself in networking and communications technologies that bridge the organizations and pass data between them with a degree of acceptance and approval. The large enterprise network errantly trusts the manipulations of the hackers as though these are approved behaviors of the small business.

[ CSO's guide to the Target data breach

The enterprise saw how a lack of emphasis on security on the part of third-party POS and HVAC vendors placed them as vulnerabilities for the large retailers that used their services. CSO reveals how any of these small enterprises share their vulnerabilities with large customers and how those big companies can push back.

A case of the malware measles

It is not uncommon for small vendors to let the robber in the back door (yes, a Trojan Horse, or figuratively), out the front door, and into larger concerns. Such is the case with the Managed Service Provider (MSP).

"The MSP installs computer updates and manages and fixes software, typically manually, from their office," says Kevin Jones, senior information security architect, Thycotic. When an attacker infects the MSP's network, that infection is communicable to the large enterprise customer through the Remote Access Connection, which is a common bridge between big business and small vendors.

Without a great deal of preparation and care, it is hard for the large organization to differentiate between an attacker and the MSP. "The MSP becomes the weak link in the large enterprise's security chain," says Jones.

How small companies make infection easy

Small companies open the door to attackers through a variety of unsecure practices. Small businesses delay security updates and patches due to a continuing concern over the purity and reliability of updates, particularly updates for Microsoft Windows and Office products. "A lot of the updates break Windows and Office, and that impedes the business, which affects the bottom line," says Jones.

Businesses will often wait a month to hear what happened to other companies who applied the latest updates before they risk using them. In the meantime, the companies that wait become infected by attacks that leverage those unpatched vulnerabilities. Deciding whether to apply the updates or wait is a 'damned if you don't, damned if you do' scenario. The large enterprise that trusts traffic from bedeviled businesses that delay patching is damned along with them.

In another ill-fated practice, small businesses neglect to enforce strong access credentials. "Small companies frequently use weak passwords," says Rosen. It is common for third-party vendors and contractors to use weak passwords when logging into large enterprise networks; these include networks for stores like Target or Home Depot. Often the small company employee is using the same password they use everywhere, whether for their personal Facebook account, Gmail account, or financial account.

[ 4 small business security lessons from real-life hacks ]

That's why hackers who confirm a username and password for any account on the Internet will try that same combination of credentials on other sites they attempt to hack into, and why re-using credentials is a very bad idea. Logon credentials are only as good as password policy and policy enforcement. If the small enterprise can't enforce the use of long, complex, unique passwords, then they and their larger customers should expect to be infected.

Small business behaviors that invite trouble from attackers are as numerous as they are infamous. Small enterprise security policies that don't quell missteps such as employee downloads of unauthorized software, rogue Wi-Fi installations, and password sharing will actually promote such behaviors. If big business is going to suffer under these ties, they have to find a way to manage those relationships and their threat-laden baggage.

Mitigating the small company as security hole

To mitigate the security vulnerabilities that small companies bring to the table, the big enterprise has to move from a trust but verify model to a least privilege, zero trust model when working with these organizations. Permit the least access and permissions necessary to do the work required. Consider anything outside or inside the network as untrusted. Standard best practices when using least privilege, zero trust include network segmentation and enforcing up to date patch management, says Rosen.

Implement Privileged Identity Management (PIM) so that even if credentials are stolen it's very hard for the hackers to move laterally in the network. Privileged identity management makes it very hard to compromise another account. And those credentials are always rotated. "Even if they grab the credential, it's not useful for very long," says Rosen.

Big business should ensure that small businesses come into the enterprise with two-factor authentication. "The old expense of $75- to $100-per user for two-factor authentication no longer applies. Enterprises can now implement two-factor authentication at reasonable rates," says Rosen.

Large enterprises should use multiple intelligent, polymorphic next-generation threat detection technologies such as (but hardly limited to) behavior-based IDS/IPS and cloud-based web security scanning. These will help them to enforce the zero trust model and to find breaches that are coming in and that have already come in from the perimeter, whether from small concerns or otherwise. "The breaches are going to come in," says Rosen. It's a matter of mitigation, not elimination.

The large enterprise must use contracts with third-party vendors and service providers that require audits of their security. "The large organization has to require the audits and make sure they do them," says Rosen.


For large enterprise CISOs, hearing that their MSP/third-party vendor family is the security vulnerability that won't go away is like receiving a cold slap in the face at four in the morning. But just as they deal with every other threat, they must gather their resolve, acquire and target resources, determine how to live with second-hand vulnerabilities, and try to get a good night's sleep.

Feel free to leave the night light on.

Join the CSO newsletter!

Error: Please check your email address.

Tags TargetapplicationssoftwareCSOdata protection

More about CSOFacebookHome DepotIPSMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts