Attacks on digital and physical supply chains are nothing new. If attackers cannot launch their assault against a series of well-fortified systems, focusing their attention on the more frictionless experiences offered by less secure trusted suppliers reduces their risk and yields dividends.
The problem with securing the highly interconnected systems between companies and their suppliers is that it is insanely difficult. One may look no further than the challenges the entertainment industry has in protecting content from leaking to understand the work necessary to protect an end-to-end supply chain.
In this context, the SolarWinds breach was notable in a couple key ways:
- It brought attention to the widespread impacts when an interconnected global supplier is compromised.
- Due to the nature of the breach, cyber risk insurers will, at a minimum, increase oversight on third party supplier security assessments and may be reticent to pay out on policies where a nation-state is involved in the breach.
So how does this impact small and medium-sized businesses (SMBs)?
Innovation and creativity are at the heart of the SMB. Their size and agility give them the ability to bring innovative solutions to a larger organization and, in turn, accelerate their client’s ability to drive creativity into their products and services faster. These SMBs often have access to sensitive systems and highly confidential information, placing them squarely on a company’s critical supplier list, subjecting them to the same rigorous security controls to which they themselves must adhere.
As a result, we see more SMBs building information security programs that can be certified or authorized by an external entity. Internal legal, GRC and procurement organizations are increasingly requiring organizations not just to comply with but build security programs that can be certified. Over the last several months, there has been a marked increase in SMBs engaging security firms to help them build programs based on ISO 27001 or SOC 2 Type 2 security frameworks.
Yet, SMBs have challenges. In the wake of a global pandemic, the world was forced to transition its workforce virtually overnight. SMBs found themselves especially ill-prepared to handle this monumental shift. The National Small Business Association testified before the U.S. Senate Committee on Small Business in March 2019, saying that “only 14% of small businesses rated their ability to mitigate cyber risk and vulnerabilities as useful.” Consider:
- Most organizations lack expertise in miniaturizing and operationalizing security frameworks. This often leads to barely customized security policy templates and a “set it and forget it” mentality.
- SMBs are often missing change management expertise. People are at the forefront of transformation. Employees’ adaptability, comfort level, and aversion to change must be taken into consideration when designing and implementing new processes and frameworks, especially around cybersecurity.
- The enterprise technologies or services that SMBs would need to fully operate an information security management system are neither priced nor licensed to make it easy for them to purchase.
Many smaller companies are now completely virtual and plan to stay that way. With more and more companies hiring employees spread across the globe, cross-border hiring can be especially tricky. The security architectures and the control structures are very different for an organization with no physical presence. As a result, SMBs are analyzing technology solutions such as firewalls as a service, cloud-based business VPNs, and cloud application security platforms such as cloud access security brokering solutions (CASBs). While these technologies help provide a more comprehensive foundation for an SMB’s cloud security architecture, they often require heavy initial investments, requirements around large license counts, or don’t support SIEM integration out of the box.
There are also a few hidden issues. Many of these cloud security providers have not yet undergone security certifications, further limiting the number of vendors available to SMBs. This is especially the case in the cloud business VPN space, where vendors began providing business offerings, yet lag in certifying their information security programs.
Another challenge involves an organization’s log aggregation solutions and daily audit and log reviews. Most smaller organizations are neither trained nor staffed to design the patterns necessary to detect security incidents or data breaches. This is especially the case when collecting, aggregating and analyzing attacks across multiple cloud providers. While we are seeing an increase in managed security services providers that support the SMB market, they often drive organizations toward specific security architectures. Their solutions focus on organizations with a physical presence, lack support for Macs (popular with SMBs), and offer limited support for the analysis of the variety of cloud providers commonly used by smaller businesses.
However, solutions providers are catching up and vendors that offer comprehensive solutions to SMBs and undergo certifications for their own internal security programs are in greenfield territories as small companies become large companies and trusted partnerships with innovative organizations are a competitive advantage.
So, what recommendations do we have for SMBs?
- Select a security consultant or virtual CISO with proven experience in building security programs for SMBs that have successfully undergone certification audits.
- Determine whether your leadership team possesses experience with operational change management. Be honest. If you are missing that expertise, consider hiring an HR security expert or Virtual Chief People Officer with experience in security to work alongside the CISO.
- Invest in a comprehensive risk assessment to help guide decisions around frameworks. Leverage an application-centric risk assessment to help identify controls and focus your project plan.
- Identify IT service providers that service the SMB market, have extensive experience managing cloud security platforms and have certified information security programs.
- Engage an MSSP with a certified security program and extensive experience supporting cloud-native virtual-first SMBs with low license count requirements or affordable monthly costs.
- Ensure that your IT and security consultants work together to design and operationalize your security and compliance processes.