Large enterprises are soaking up available cybersecurity talent and should consider actively helping small-business suppliers who simply can’t secure the same level of resources, a cybersecurity consultant has recommended.
The process of evaluating suppliers and other small partner organisations has traditionally been biased towards the enterprise, Shogun Cybersecurity principal consultant Corch told CSO Australia – and that has left small businesses scratching their heads at cybersecurity capabilities audits that presume a level of capability that is unattainable for most smaller businesses.
“The way the industry has grown over time, the clients that vendors were trying to connect with were all large organisations,” he explained. “They made products for large organisations, priced their services to large organisations, and everyone who was in security worked in a large organisation and had salary expectations to go with that.”
Those dynamics had created a big conceptual divide between small businesses and their larger customers, who generally view cybersecurity through the lens of an organisation with their own size and resources.
Over the course of 15 years in cybersecurity consulting, Corch said, he has seen the impact of this divide over and over again: one former banking customer, for example, used a third party assurance methodology that included a questionnaire “with all these questions that were technically worded and written from an enterprise perspective,” he said.
“It was an arse-covering mechanism from these big businesses with complicated internal security apparatus that had built up over a 10 to 15 year period.”
Smaller businesses generally don’t have the luxury of such internal capabilities – and that would turn what big businesses see as a normal prudential task into a major stressor for their smaller suppliers.
“Small businesses would get these and freak out a bit,” Corch said. “They would either tick ‘yes’ to everything because they felt if they didn’t tick ‘yes’ they would get rejected from the partner program – or they would throw their hands up in frustration and say ‘how can we have these things?’, and tick ‘no’ to everything.”
Yet simply rejecting a smaller supplier because they can’t implement enterprise-grade cybersecurity was an ineffective policy because those smaller, niche suppliers often have service or product capabilities that are fundamental to the bigger business’s operation.
What they don’t have, Corch has seen time and again over the years, is the ability to protect those capabilities from cybersecurity attack.
“You’ve got these guys that are electricians or tradespeople, and are not traditionally skilled in IT,” he explained. “Now a lot of the tools they use are computerised, but they don’t understand IT concepts in general let alone something as complicated as network security.”
When one engagement proved this during an audit of commonly-used subcontractor IT systems, it became clear that a better alternative was needed.
“Not only were they wide open to someone who knew what they were doing and could manipulate these systems without being granted proper access, but the people in charge of managing those systems weren’t even aware that security was something they should actually be considering.”
Skin in the game
When a cybersecurity attack hits a partner of a larger organisation, everybody suffers – as US retailer Target so painfully learned in a major data breach that has become a watershed for partner-driven risk – so famously found out.
Some companies were actively evaluating the potential damage if such a breach happened, against the value of the small-business relationship. Compliance became a crutch to justify relationships with organisations whose lack of resources meant there was no way they could be as secure as both organisations needed them to be.
“I personally worked in scenarios where this kind of thing was happening,” Corch said. “The larger businesses were falling back on the shield of process – but all that did was to promote a false sense of security amongst both smaller and larger businesses.”
Insurance companies such as BHSI and Cyber Plus have begun bundling cybersecurity response services with their policies to help small businesses after a breach, but Corch – who will present on the topic at the AISA national conference in October – believes there is a better, more proactive alternative.
Since both parties have a mutual interest in bolstering cybersecurity, he explained, it makes sense for bigger organisations to not only protect themselves with risk assessments, but to follow through and work with suppliers to address and remediate security issues together.
“Big companies have a 15 to 20 year head start when it comes to security practices, and they were expecting smaller businesses to live up to the same security standards even though the big companies have gobbled up all the security skills in the market.”
The industry is at an inflection point where greater collaboration can still help smaller businesses address their exposure, he said – but that will require a recognition of a social responsibility to help them out.
“By lifting up the knowledge and capabilities of the people that have helped them,” he said, “large business can make the whole online ecosystem more secure and help make their own assets more secure in the process. It’s a discussion we really need to have.”