The problem with securing the highly interconnected systems between companies and their suppliers is that it is insanely difficult. One may look no further than the challenges the entertainment industry has in protecting content from leaking to understand the work necessary to protect an end-to-end supply chain.
Category: Supply Chain Security
Attacks on digital and physical supply chains are nothing new. If attackers cannot launch their assault against a series of well-fortified systems, focusing their attention on the more frictionless experiences offered by less secure trusted suppliers reduces their risk and yields dividends.
In this context, the SolarWinds breach was notable in a couple key ways:
So how does this impact small and medium-sized businesses (SMBs)?
Innovation and creativity are at the heart of the SMB. Their size and agility give them the ability to bring innovative solutions to a larger organization and, in turn, accelerate their client’s ability to drive creativity into their products and services faster. These SMBs often have access to sensitive systems and highly confidential information, placing them squarely on a company’s critical supplier list, subjecting them to the same rigorous security controls to which they themselves must adhere.
As a result, we see more SMBs building information security programs that can be certified or authorized by an external entity. Internal legal, GRC and procurement organizations are increasingly requiring organizations not just to comply with but build security programs that can be certified. Over the last several months, there has been a marked increase in SMBs engaging security firms to help them build programs based on ISO 27001 or SOC 2 Type 2 security frameworks.
Yet, SMBs have challenges. In the wake of a global pandemic, the world was forced to transition its workforce virtually overnight. SMBs found themselves especially ill-prepared to handle this monumental shift. The National Small Business Association testified before the U.S. Senate Committee on Small Business in March 2019, saying that “only 14% of small businesses rated their ability to mitigate cyber risk and vulnerabilities as useful.” Consider:
Many smaller companies are now completely virtual and plan to stay that way. With more and more companies hiring employees spread across the globe, cross-border hiring can be especially tricky. The security architectures and the control structures are very different for an organization with no physical presence. As a result, SMBs are analyzing technology solutions such as firewalls as a service, cloud-based business VPNs, and cloud application security platforms such as cloud access security brokering solutions (CASBs). While these technologies help provide a more comprehensive foundation for an SMB’s cloud security architecture, they often require heavy initial investments, requirements around large license counts, or don’t support SIEM integration out of the box.
There are also a few hidden issues. Many of these cloud security providers have not yet undergone security certifications, further limiting the number of vendors available to SMBs. This is especially the case in the cloud business VPN space, where vendors began providing business offerings, yet lag in certifying their information security programs.
Another challenge involves an organization’s log aggregation solutions and daily audit and log reviews. Most smaller organizations are neither trained nor staffed to design the patterns necessary to detect security incidents or data breaches. This is especially the case when collecting, aggregating and analyzing attacks across multiple cloud providers. While we are seeing an increase in managed security services providers that support the SMB market, they often drive organizations toward specific security architectures. Their solutions focus on organizations with a physical presence, lack support for Macs (popular with SMBs), and offer limited support for the analysis of the variety of cloud providers commonly used by smaller businesses.
However, solutions providers are catching up and vendors that offer comprehensive solutions to SMBs and undergo certifications for their own internal security programs are in greenfield territories as small companies become large companies and trusted partnerships with innovative organizations are a competitive advantage.
So, what recommendations do we have for SMBs?