How many partners does your organization rely on? Companies and services handling sensitive information?
Do you know how many you have? Or how many of them classify as a small business?
A few years ago, it was common to have limited partners - and to limit their access. Some recent clients shared their experience growing from three to over three hundred partners in the span of about three years.
We used to caution people about engaging with third parties due to the potential for increased risk. The simple reality that an attacker might use them as a stepping stone to us. That warning hasn’t changed. But our landscape has.
We rely on partners. A lot of them small businesses. Security introduces a complexity, cost, and confusion that a lot of smaller organizations struggle with. These are the people you depend on to provide a needed service while protecting information.
CSID recently conducted a survey to get a better understanding of how small businesses perceive and handle security. I discussed the findings with Bryan Hjelm, VP of Product and Marketing at CSID. While some of the information isn’t surprising, CSID did a nice job in capturing and presenting it. You can grab a copy for yourself here (link).
During my discussion with Bryan, the light bulb went off. I see an opportunity for security leaders to dramatically improve their posture by helping others.
Bryan explained, “One key takeaway from the survey is that small business owners do not have a proper understanding of their risks from a cyber security perspective, and as a result, are not allocating adequate budget or resources in this area. Specifically, small business owners do not understand the risks associated with the data they store, including their own business credentials, their customer PII, and also their connections to vendors and partners.”
What lept out at me is the finding that 58% are concerned, but 51% claim no budget to work on their security.
But what are they looking for when it comes to ‘security’?
Confusion swirls around security. When a small business is asked, 25% said they felt prepared to handle an attack. But 20% simply don’t have the time or money.
What are they protecting?
Or what do we think they are protecting? It turns out that a lot of the small businesses don’t place a value on the information they store, frequently including names, phone numbers, addresses, and other information.
It seems that the focus on PII -- and whether they have any to protect -- could distract them from higher value information sought by attackers. Recent attacks use the credentials phished or otherwise gained from contractors to gain entry to larger organizations.
As Bryan puts it, “Many small businesses believe that the PII of their customers is all that they need to worry about. What they often fail to realize is that they host a wealth of internal data, as well as connections to clients and vendors, that is highly attractive to cyber criminals.”
Considering the scale of impact is what creates our opportunity
I openly question the harm of breaches. At least when it comes to the global enterprises that make headlines, it seems like most escape lasting damage. Exploring the significance of the breach and subsequent harm is part of a larger conversation for enterprises.
What about small business?
Bryan points out “Small businesses are becoming a more popular target for attackers because they host valuable data, yet have significantly fewer resources to defend themselves than large enterprises. Small businesses are also likely to have a more difficult time bouncing back from an attack, as risk mitigation and response services can sometimes seem financially out of reach. Relative to a large company that may suffer temporarily, a breach could mean the end of a small business.”
What a big business can tolerate - as evidenced by the recent breaches - tends to be the sort of event that puts the small business out of business.
While attackers are looking for customer data, they’re also targeting the credentials. Not just customer information, but the access and insights to additional places.
Perhaps your company.
Our opportunity: elevate our partners, build up the industry
Consider the difference in scale. If you’re a security leader at a larger organization, you can use some of your resources -- perhaps stuff you already have -- and extend it to your partners. For example, instead of demanding they have policies and specific controls, consider explaining why and helping them implement the right solutions for their environment.
The smart security leader offers a service to their partners that blends education and assistance.
Here’s why this works:
You learn more about them; perhaps it is akin to an extended third party assessment
You have more confidence that they are protecting your information
They have more comfort with you - and a willingness to ask questions and get the help they need to protect themselves and you
Be the security leader that elevates your partners
Exceptional leaders elevate the people around them. Use the resources available to you to elevate those you partner with. As you make this investment, you’ll find procurement is easier to work with. It’ll be easy for everyone to find quality partners.
We’ll build better relationships and stronger foundations for trust. Internally and with our partners. Across the industry. We might even purposefully cross-pollinate ideas and actions that improve security for everyone.
The more secure they are, the more secure you are -- both from the perspective of an attacker using them as a vector to you, but also by helping them stay in business.