The CIOs, IT Directors and CISOs for large companies have enough to worry about without having to take on the mountains of security holes infesting small- and medium-sized businesses around the globe. But a new report shows a direct connection between SMB security flaws and those of their Fortune 1000 neighbors.
In effect, this is just a new twist to the age-old and well-known supply chain security weak-link challenge. That's where a company is subject to getting burned by the security problems of any company with which it shares a supply-chain. An e-tailer, for example, can get hurt by viruses or a trojan horse that infected a delivery service, manufacturer, CRM firm or—hello, irony—an SMB security firm.
The report comes in the form of an annual security package from Cisco, released in late January. (The report requires you supply some personal information, but I cover much of the pertinent information here.) "SMBs show signs that their defenses against attackers are weaker than their challenges demand. In turn, these weaknesses can place SMBs’ enterprise customers at risk. Attackers that can breach an SMB network could also find a path into an enterprise network," the Cisco report said.
The report details what is already known, which is that the security processes of many small businesses are atrocious. But by reminding enterprise IT execs of the contagious nature of this risk, Cisco reminds IT of their difficult task of enforcing security policies with companies they don't control.
Just because IT doesn't control those small companies—to be honest, does IT even control its own company's employees? I know: a topic for another day—does not mean they can't exert strong influence. Yes, I mean they can be threatened with the loss of your revenue should they resist.
This means that you can certainly dictate security operational conditions with all of your partner contracts. Is it practical, though, to enforce such dictates? Of course, but you don't need to universally enforce them. You merely need to do spotchecks and to let all partners know when you've caught—and terminated—one of their fellow partners. The message will get through.
Those contracts should give you the right to do unannounced inspections of their facilities, their software and their network. Don't forget the very long tail of your interconnected supply chain. The smaller a partner company is, the more likely they will outsource a large percentage of their IT and marketing functions. Bottom line: You must insist that partners enforce these same rules with their own partners.
For example, a delivery partner needs access to your network to coordinate deliveries. And that small company agrees to your strict network rules, all designed to prevent the introduction of viruses. But unbeknownst to you, this delivery service has a bookkeeper visiting once a week. And that bookkeeper plugs his/her thumb drive directly into one of their desktop machines—which happens to also be connected to your network. (Shades of the end of "There Was An Old Woman"?)
Sign up for CIO Asia eNewsletters.