\u201cI\u2019ve been in the security business for 25-years. The industry spent the first 20 of those developing perimeter security products. Then five years ago, we simply let everybody in, building an ecosystem of third-party vendors and service providers that are now part of our federated enterprise,\u201d says Mo Rosen, COO, Xceedium.Once attackers enter these small organizations, they access the large enterprises those small companies serve. The trust relationship that big enterprise shares with these small vendors manifests itself in networking and communications technologies that bridge the organizations and pass data between them with a degree of acceptance and approval. The large enterprise network errantly trusts the manipulations of the hackers as though these are approved behaviors of the small business.[ CSO's guide to the Target data breach ]The enterprise saw how a lack of emphasis on security on the part of third-party POS and HVAC vendors placed them as vulnerabilities for the large retailers that used their services. CSO reveals how any of these small enterprises share their vulnerabilities with large customers and how those big companies can push back.A case of the malware measlesIt is not uncommon for small vendors to let the robber in the back door (yes, a Trojan Horse, or figuratively), out the front door, and into larger concerns. Such is the case with the Managed Service Provider (MSP).\u201cThe MSP installs computer updates and manages and fixes software, typically manually, from their office,\u201d says Kevin Jones, senior information security architect, Thycotic. When an attacker infects the MSP\u2019s network, that infection is communicable to the large enterprise customer through the Remote Access Connection, which is a common bridge between big business and small vendors.Without a great deal of preparation and care, it is hard for the large organization to differentiate between an attacker and the MSP. \u201cThe MSP becomes the weak link in the large enterprise\u2019s security chain,\u201d says Jones.How small companies make infection easySmall companies open the door to attackers through a variety of unsecure practices. Small businesses delay security updates and patches due to a continuing concern over the purity and reliability of updates, particularly updates for Microsoft Windows and Office products. \u201cA lot of the updates break Windows and Office, and that impedes the business, which affects the bottom line,\u201d says Jones.The breaches are going to come in.Mo Rosen, COO, XceediumBusinesses will often wait a month to hear what happened to other companies who applied the latest updates before they risk using them. In the meantime, the companies that wait become infected by attacks that leverage those unpatched vulnerabilities. Deciding whether to apply the updates or wait is a \u2018damned if you don\u2019t, damned if you do\u2019 scenario. The large enterprise that trusts traffic from bedeviled businesses that delay patching is damned along with them.In another ill-fated practice, small businesses neglect to enforce strong access credentials. \u201cSmall companies frequently use weak passwords,\u201d says Rosen. It is common for third-party vendors and contractors to use weak passwords when logging into large enterprise networks; these include networks for stores like Target or Home Depot. Often the small company employee is using the same password they use everywhere, whether for their personal Facebook account, Gmail account, or financial account.[ 4 small business security lessons from real-life hacks ]That\u2019s why hackers who confirm a username and password for any account on the Internet will try that same combination of credentials on other sites they attempt to hack into, and why re-using credentials is a very bad idea. Logon credentials are only as good as password policy and policy enforcement. If the small enterprise can\u2019t enforce the use of long, complex, unique passwords, then they and their larger customers should expect to be infected.Small business behaviors that invite trouble from attackers are as numerous as they are infamous. Small enterprise security policies that don\u2019t quell missteps such as employee downloads of unauthorized software, rogue Wi-Fi installations, and password sharing will actually promote such behaviors. If big business is going to suffer under these ties, they have to find a way to manage those relationships and their threat-laden baggage.Mitigating the small company as security holeTo mitigate the security vulnerabilities that small companies bring to the table, the big enterprise has to move from a trust but verify model to a least privilege, zero trust model when working with these organizations. Permit the least access and permissions necessary to do the work required. Consider anything outside or inside the network as untrusted. Standard best practices when using least privilege, zero trust include network segmentation and enforcing up to date patch management, says Rosen.\tImplement Privileged Identity Management (PIM) so that even if credentials are stolen it\u2019s very hard for the hackers to move laterally in the network. Privileged identity management makes it very hard to compromise another account. And those credentials are always rotated. \u201cEven if they grab the credential, it\u2019s not useful for very long,\u201d says Rosen.Big business should ensure that small businesses come into the enterprise with two-factor authentication. \u201cThe old expense of $75- to $100-per user for two-factor authentication no longer applies. Enterprises can now implement two-factor authentication at reasonable rates,\u201d says Rosen.Large enterprises should use multiple intelligent, polymorphic next-generation threat detection technologies such as (but hardly limited to) behavior-based IDS\/IPS and cloud-based web security scanning. These will help them to enforce the zero trust model and to find breaches that are coming in and that have already come in from the perimeter, whether from small concerns or otherwise. \u201cThe breaches are going to come in,\u201d says Rosen. It\u2019s a matter of mitigation, not elimination.The large enterprise must use contracts with third-party vendors and service providers that require audits of their security. \u201cThe large organization has to require the audits and make sure they do them,\u201d says Rosen.ResolveFor large enterprise CISOs, hearing that their MSP\/third-party vendor family is the security vulnerability that won\u2019t go away is like receiving a cold slap in the face at four in the morning. But just as they deal with every other threat, they must gather their resolve, acquire and target resources, determine how to live with second-hand vulnerabilities, and try to get a good night\u2019s sleep.Feel free to leave the night light on.