Enterprise CIOs, think it's OK to ignore SMB security holes? Think again

A new report shows a direct link between security problems in small businesses and enterprise security headaches. This happens when SMBs are suppliers or resellers for enterprises and are therefore connected.

The CIOs, IT Directors and CISOs for large companies have enough to worry about without having to take on the mountains of security holes infesting small- and medium-sized businesses around the globe. But a new report shows a direct connection between SMB security flaws and those of their Fortune 1000 neighbors.

In effect, this is just a new twist to the age-old and well-known supply chain security weak-link challenge. That's where a company is subject to getting burned by the security problems of any company with which it shares a supply-chain. An e-tailer, for example, can get hurt by viruses or a trojan horse that infected a delivery service, manufacturer, CRM firm or—hello, irony—an SMB security firm.

The report comes in the form of an annual security package from Cisco, released in late January. (The report requires you supply some personal information, but I cover much of the pertinent information here.) "SMBs show signs that their defenses against attackers are weaker than their challenges demand. In turn, these weaknesses can place SMBs’ enterprise customers at risk. Attackers that can breach an SMB network could also find a path into an enterprise network," the Cisco report said.

The report details what is already known, which is that the security processes of many small businesses are atrocious. But by reminding enterprise IT execs of the contagious nature of this risk, Cisco reminds IT of their difficult task of enforcing security policies with companies they don't control.

Just because IT doesn't control those small companies—to be honest, does IT even control its own company's employees? I know: a topic for another day—does not mean they can't exert strong influence. Yes, I mean they can be threatened with the loss of your revenue should they resist.

This means that you can certainly dictate security operational conditions with all of your partner contracts. Is it practical, though, to enforce such dictates? Of course, but you don't need to universally enforce them. You merely need to do spotchecks and to let all partners know when you've caught—and terminated—one of their fellow partners. The message will get through.

Those contracts should give you the right to do unannounced inspections of their facilities, their software and their network. Don't forget the very long tail of your interconnected supply chain. The smaller a partner company is, the more likely they will outsource a large percentage of their IT and marketing functions. Bottom line: You must insist that partners enforce these same rules with their own partners.

For example, a delivery partner needs access to your network to coordinate deliveries. And that small company agrees to your strict network rules, all designed to prevent the introduction of viruses. But unbeknownst to you, this delivery service has a bookkeeper visiting once a week. And that bookkeeper plugs his/her thumb drive directly into one of their desktop machines—which happens to also be connected to your network. (Shades of the end of "There Was An Old Woman"?)

Instead of random inspections, there's also the liability threat. That's where you tell contractors that if your network suffers any kind of a breach that is eventually traced back to the partner's system, they will be held liable even if the dollar amount of that liability exceeds the value of the partner contract. That will get their attention at contract-signing time.

We're not just talking about virus and other cyber creepy crawlers that sneak from their system to yours. One of your biggest assets when it comes to your partners is one specific intellectual asset: the knowledge of how to get into your network, what your network can do and any specific access credentials and procedures.

If a cyber thief hits your SMB supplier, they might steal those credentials and sit on your network, observing and waiting for the moment to strike. And all this time, it will look to your people like it's an authorized supplier doing its thing.

But the potential attackers might go a different route. For the actual attack, they might want to not leave a trail of geeky breadcrumbs to that particular supplier. Once in control, they might want to do more damage to more company partners before that SMB realizes it has been infiltrated. Therefore, they could just as easily examine the password and other credentials and use that knowledge—on top of the exact path used—to make educated guesses about some of your other credentialed users and try and impersonate them instead.

This all assumes bad actions happen to your SMB partner without their knowledge. But what if this is treasonous activity with their knowledge? What if it's an employee of this SMB contractor who decides to try and steal and sell your data to one of your competitors?

Yes, there are so many ways that lax security performed by your SMB partners can become your problem. Putting the CEOs of those companies into the hot seat with you isn't a bad way to go.

Join the CSO newsletter!

Error: Please check your email address.

More about Cisco

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts