5 tips for enterprises to ensure their SMB partners don't cause a data breach
SMBs are valued partners for many firms, but they often lack resources and expertise to develop comprehensive security policies. Here's how enterprises can ensure their partners are cybersecure.
To avoid cybersecurity issues, large enterprises must be careful when choosing what small- and medium-sized (SMB) business partners to work with—especially as the average cost of an enterprise data breach rises to $1.3 million.
SMBs provide essential goods and services across industries, and are valued partners to many companies, said Kevin Chapman, senior vice president and general manager of SMB business at security firm Avast. "Unfortunately, recent incidents like the Sony, HBO, and Netflix breaches have brought to light that enterprises are only as secure as their partners, and SMBs can be the cybersecurity weak link that allows hackers entry into the network of their larger and more lucrative partners," he added.
SMBs often face a lack of resources and expertise to develop comprehensive cybersecurity policies and infrastructure, Chapman said. Some 75% of SMBs agree that they are more concerned about cybersecurity issues than they were in years past, according to an Avast survey, but 37% said that they don't have a proper system in place for ensuring regular and immediate software updates—a security best practice.
SEE: Information security incident reporting policy (Tech Pro Research)
Ex-employees also pose a threat: 40% of SMBs do not have a process in place to revoke or change passwords that an employee had access to when that employee leaves the company, the survey found.
"There may be cases where SMB partners may be a security weak link if the larger company relies on the SMB partner for some very IT-critical operations," said Engin Kirda, professor of computer science at Northeastern University. "This being said, most large companies that I have interacted with have a separate and independent IT security department and policies, and do not completely trust third-parties. And that, in my opinion, is a smart thing to do."
The weakest link in any organization, independent of its size, are users, Kirda said. "Unfortunately, most attacks are successful because the social engineering component of the attack simply works," he said.
It's critical for security education and best practices to become part of the security culture in organizations of all sizes, Chapman said.
Large companies should proactively look for SMB partners with the following security technologies and best practices, according to Chapman:
1. Defined access privileges and restriction to network resources. This will minimize impact if a breach occurs.
2. Thorough password policies that regulate password length and character requirements, change frequency and lockout policies to protect network access.
3. Next-gen antivirus and automated patch management software can stop threats from the web, files or email.
4. Security training to educate employees on security best practices for passwords, safe web browsing, and identifying phishing emails.
5. A comprehensive BYOD policy to ensure no devices brought onto the network introduce risks to the business.
This should also not be a one-time evaluation, Chapman said. "Security threats are changing on a daily—if not hourly—basis, and your security practices and technologies, and those of your partners, should evolve with these changes. Ensure that you are regularly conducting security assessments within your own company and for your SMB partners."
Companies should also "search for a provider that offers a multi-layered security solution for data protection, including perimeter and endpoint protection, and a comprehensive backup and recovery solution," said Robert Gibbons, CTO at Datto.
"With security breaches and sophisticated attack vectors on the rise, it is imperative for SMBs to find the right IT service provider to protect their data and keep their business operations up and running no matter what," Gibbons said.