Stepping Up SMB Security
When your company is the third-party vendor, improved security practices, transparency, and independent reviews to prove your claims can go a long way toward winning enterprises embattled by attacks and the burden of compliance
Ericka Chickowski- Contributing Writer
Dark Reading, Dark Reading
December 05, 2012
Sometimes the path of least cybersecurity resistance for enterprises is right through an SMB vendor's back door. Because even as many enterprises have upped their security game in recent years, SMBs continue to lag. And when those SMBs work closely with larger businesses as vendors, suppliers, and service providers, they inevitably pose a softer target for hackers.
Why hack a megacorporation with expensive security protections when you can break into a poorly protected SMB vendor that has network privileges or other access to that big-name customer's valuable data?
"Many SMBs work with enterprises as contractors via services or provide specific product offerings," says Rahul Kashyap, chief security architect and head of research for Bromium. "A compromise of any of their machines or software can lead the attacker right into the corporation they're after."
[Which applications and vendor dominated the vulnerability and exploit headlines in 2012? See The Vulnerability 'Usual Suspects' Of 2012.]
That may well be why research from Symantec earlier this year showed that targeted attacks aimed at small businesses with 250 or fewer employees have more than doubled in 2012. Meanwhile, regulators and consumers aren't taking kindly to "my vendor made me do it" excuses, making enterprises understandably squirrelly about third-party vendor security. The net result is that SMBs that want to get into a certain market or attract certain classes of B2B clientele can't afford to ignore security anymore.
"Taking a lax attitude toward security can hinder the chance for growth through contracts or partnerships with large public or government entities. Why?" says Brian Burch, vice president of SMB marketing for Symantec. "Large companies are wary of the risks with connecting and sharing confidential information with smaller companies who are not properly protected."
When going after business from regulated enterprises with tougher security standards than they might normally be used to, SMBs will generally face a cost-benefit decision, says J.B. O'Kane, managing principal at Vigilant. But don't let the prospect of improvements scare you away without assessing from all angles, he suggests. For example, depending on what access the business has to its customer's data and how regulated that customer is, there may be wiggle room to negotiate for slightly less-stringent requirements in certain areas. And even if there is not, the benefit that may come from the extra investment in security could far outstretch just the contract it is intended to satisfy if the SMB uses it as a competitive differentiator.
"It becomes an investment," O'Kane says. "It goes back to the cost-benefit equation, perhaps investing in the future by adopting some of these control patterns that can then be applied to your advantage and use that as a selling point for your reputation in the future."
But security is more than just a product of one or two investments -- experts explain that it is important for SMBs to realize that the kind of security enterprises seek their vendors to achieve comes through a gradual process of improvement. And for most organizations, that requires a comprehensive risk management program that can prioritize and strategize through the improvement process. That is why so many enterprises ask whether their vendor has a formal, documented risk program.
"This will demonstrate that you have identified potential risks and are proactively controlling, monitoring, and measuring them to protect your customers," says Chris Ritterbush, executive director of financial services for Ernst & Young. "Large customers need to feel confident that risk management is not a reactive exercise."
In fact, as SMBs struggle by proxy with the same regulations as their clients, developing a holistic plan may well be more important for them than enterprises.
"They face the same cyberthreats as larger corporations, but with a tighter budget and already overworked staff," says Doug Landoll, president of Assero Security. "Think of security in these three buckets: administrative controls, physical controls, and technical controls.
Administrative controls include things like policies and procedures, security awareness training, and auditing. Physical controls cover items like door locks and entry control, shredders, and cameras. And technical controls are the traditional IT controls, like firewalls, antivirus, server hardening, and intrusion prevention.
"One of the key elements of security is good hygiene: applying patches, closing vulnerabilities, configuration management," says John Whiteside, product marketing at Alert Logic. "Good management alone will often improve security simply by eliminating some vulnerabilities."
Even with good controls in place, though, it won't mean much to customers unless you can prove it. That requires documentation and transparency, he says.
"Demonstrate your proactive security posture to your customers with appropriate transparency," Whiteside says. "Document your security procedures and discuss them with customers through clear statements about how you protect the integrity of their data."
But don't make them take your word for it. Enlisting the help of third-party assessments and standard reporting specifications can greatly ease a customer's concerns, particularly in the case of SMBs, which tend to be bullish about their security protection.
"The No. 1 issue I've seen with security compliance -- particularly with SMBs -- is claiming to have a control or process in place while not realizing they don't," says Arild Jensen, consultant with Secos Security. "The best way around this is to have someone from outside the company create and regularly review security controls for suitability to the company's and its partners' risk profiles, audit controls, and scan the general IT infrastructure for exceptions."
Even if it won't address all of your clients concerns, independent reports and assessments can help demonstrate an investment of control infrastructure, Ritterbus says. Regardless of those assessments, though, there's a high likelihood SMBs will also find it necessary to answer some sort of assessment questionnaire from the vendor. And at the moment, many smaller businesses are having a hard time checking the boxes on these lists.
"Based on a recent survey we just completed of over 247 IT SMB security professionals, we know that half of SMBs are not prepared to answer customer and partner questions about their security," says Andrew Storms, director of security operations for nCircle.
While it might be tempting to fudge the answers, Landoll warns SMBs to realize the questionnaires are legally binding.
"Often the documents are misunderstood or are filled out based on plans in the future. These are very important documents asking about risks," he says. "Most importantly they are legally binding attestation. The next time these forms are used is in court. Don't state your security is perfect when it is not."
Sean Bruton, security expert from Hosting.com, agrees: "Don't worry if you can't answer, 'Yes, we have that control' for each question."
In fact, the honest approach can actually feed into future improvements to security down the line. If enough vendors ask for certain controls in each of their questionnaires, then it'll soon become clear where the priorities may need to shift.
Speaking of which, when it comes to proving controls, there's no need to reinvent the wheel with attestation. As SMBs become used to scrutiny for larger customer, it may make sense for them to gather all of those questionnaires and create a master document with stock answers for the next time a new customer comes knocking at the door.
"Create a master list of questions received from business partners/customers and build standard answers," Storms says. "This minimizes the time required to respond to inquiries and creates a 'map' of the best practices important to your partners."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.