Security Experts:

The Soft Underbelly of Enterprise Cybersecurity: Small Business Readiness

For the better part of the last two years, I’ve been on a bit of a personal campaign.

I’ve talked to more than 50 individual business owners - a set of folks that represents pretty much the entire spectrum of what I’d call the “everyday life” industries - about cybersecurity and the risks their businesses face. Sadly, not once have I encountered a small business owner who knew much more than my dad about network or computer security.

For starters, I usually begin with a really broad, simple question or two: “How do you handle your computer security?” or “How do you defend yourself against cybercrime?”

Over 95% of the time – and following a deep breath and a sigh – I get an answer somewhere between “I have no idea”, “We use anti-virus” and “Someone else handles that for us so I’m sure we’re ok.”

I usually follow up with a few more lightly probing questions such as “Have you ever been the victim of a cybercrime? How so? What happened? What threats have affected your business?” The responses I get all are along the lines of these real examples:

• “You know, we had a really bad time with some hackers. They broke into our systems somehow and stole some customer password info. Nearly got us shut down. We had to change banks. We don’t do business online anymore at all. We think it was probably a guy who used to work here.”

• “A nurse who works here got one of the laptops stolen that we were trying out from the medical equipment company. Turns out it had lots of patient info on it and WiFi info from the other offices that had used it. The company told us not to talk about it.”

• “We actually got in pretty big trouble with one of our main suppliers. Somehow hackers stole our login to their online purchasing system. They got in and pulled out all sorts of info on other customers and stuff. Sold it all online. They traced it back to us, but we didn't do anything. Now we can’t buy from them. One of our main suppliers. They say they may get sued and might sue us.”

Security IntelligenceHaving been a small business owner myself, I know these folks have enough to do worrying about the success of the business that is their life’s blood. They rightly spend their time and energies making ends meet. When it comes to security, that’s something that costs too much, takes too much time and most can’t afford to understand anyway. Yet, it’s something that can, very really cost them their entire business.

And, of equal importance, their insecurity is also an everyday security problem for every other mid-size and large enterprise they interact with in the commercial supply chain that is our global economic system. Small businesses are the “front lines” in the round-the-clock cybercrime battle.

I believe, that in order to make our ecosystem a safer place for all of us, small and large, the big guys out there are going to have to start - at least in part - handling the security of their small business partners, suppliers and customers. Big business is going to have to begin continuously alerting their smaller business partners to issues, allowing them into their threat networks, extending their security solutions out to them, and directly pulling the small guys directly under the info-sharing umbrella.

Don’t believe me? Just take these very recent examples where small business has vectored in major problems for big enterprises around the world:

• Target’s Point-of-Sale system was compromised through Fazio HVAC company network.

• Reuters’ news site was compromised by Syrian Electronic Army hacktivists through startup content discovery platform Taboola.

• CNN, Washington Post, and Time were compromised by hacktivists through Outbrain, a downstream content syndication provider.

• LoyaltyBuild caused a 500,000+ card breach in Europe, heavily affecting grocery chain giant SuperValu, which has 224 stores in Ireland.

• Patient data from a Florida hospital operated by Advanced Care Hospitalists PL was breached through a billing company, Doctors First Choice Billing, which "was run by two women who were, at the same time, running a trucking company out of the same home address."

• Hackers planted malware in the online menu of a Chinese restaurant that was popular with employees of major oil company. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.

And the list goes on and on… and on - it includes your favorite liquor store, the local grocer, medical billing businesses, local insurance companies, patent law firms, wealth managers in your hometown and more.

Small businesses, each and every week, lead to big business breach, data loss, customer loyalty issues, hits to brand and reputation and, of course, direct impacts to financial bottom lines.

Yet, what percentage of enterprise IT and INFOSEC budgets and what percentage of security efforts each year are spent on this front line of defense? Having been a part of several very large companies as well in my career (one of them having over 6,000 global suppliers), I can answer for you.

Not much.

Resources devoted to securing the supply chain pale in comparison. Enterprises today spend inordinate amounts of dollars and time on resources such as security engineers, project managers, hardware appliances, firewalls, software log aggregators, deep-packet inspectors, netflow analyzers, email and web snooping systems and a hundred types of endpoint security monitors.

Yet these small business insecurities are costing big businesses lots of big money. And customers. And intellectual property. And valuable research and development dollars. And, in the case of Target, years of lost time making forward progress against competitors.

So, where is this all headed?

Can we expect small business owners and employees to suddenly become technology and cyber-savvy? Can we expect them to expend lots of time, effort and money staying diligent every day in the battle against cybercrime? Can we expect them to really care how it affects other companies up/downstream?

The answer is a resounding “no.”

Secure Small Business Back Doors

Just as the biggest of the big guys have realized already (companies like Google, Facebook and Microsoft), mid-sized and large businesses will have to get into the business of crafting programs to secure their small business back doors. They must begin offering simple and secure solutions, such as multi-factor authentication and authorization. They must start pushing out free VPN solutions and more private B2B systems.

They must continuously educate and train. They must create continuous collaboration and information sharing networks and make them unobtrusive, easy to use and free.

As well, to do these things effectively and offer the right solutions, the larger companies must begin to apply the same approaches to cybercrime analysis that they do to R&D, marketing, finance and sales.

The larger companies must start compiling their own business intelligence data for cyber risk:

• Who are their current suppliers?

• Who’s been hit and how?

• What types of businesses do they run?

• What are their roles and responsibilities to your business?

• Who are their suppliers’ customers?

• What software and systems do their partners and customers use?

• In what ways do external companies electronically interact with the larger company?

• What are their roles and responsibilities?

• What software do they use that’s vulnerable today or yesterday?

• What their partners and suppliers were affected by last month, last week, last year?

In other words, it’s time to invest in the critical data and analysis in an area that you’re likely not paying much attention to now. It will make your business - and all of us - safer in the long run.

Larger businesses are usually very good at identifying cost and labor saving efforts that, initially at least, seem like the exact opposite. Down the line, these activities are usually labeled with words like “smart” or “strategic” or “critical” in front of the word “investment.”

In this case, I can assure you it’s a sound - perhaps vitally necessary - investment.

view counter
Jason Polancich founder and Chief Architect at SurfWatch Labs. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems. Prior to founding SurfWatch Labs, Mr. Polancich co-founded Novii Design which was sold to Six3 Systems in 2010. In addition to completing numerous professional engineering and certification programs through the National Cryptologic School, Polancich is a graduate of the University of Alabama, with degrees in English, Political Science and Russian. He is a distinguished graduate of the Defense Language Institute (Arabic) and has completed foreign study programs through Boston University in St. Petersburg, Russia.