5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain

Transcription

1 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain

2 Introduction Cybersecurity for the enterprise. There is no silver bullet. But as business becomes more connected and as data moves further outside the organizational walls, enterprises need look at weaknesses in the security chain and a good place to start is in the supply chain. Think about how many small businesses, suppliers and customers have access to different areas of a business. Each of these touch points creates another area of exploitation. But small businesses do not generally employ the same strength of security as larger companies because it s complex, costly and resource-intensive. An enterprise can put all of the onus on its partners, but the result of this approach may not work out too well. If an enterprise wants to get serious about its security, then it must take on the responsibility to: continuously alert its business partners to different threats and vulnerabilities allow them into their threat networks extend their security solutions out to them directly pull the small guys directly under the info-sharing umbrella The fact is that small businesses sit on the front lines in the round-the-clock cybercrime battle. This paper examines the challenges of securing small business backdoors in the enterprise supply chain. Small Businesses Don t Understand Cybersecurity Small businesses are fairly clueless when it comes to cybersecurity. One out of four small firms have little to no understanding of cybersecurity issues whatsoever, according to a 2013 survey by the National Small Business Association. And almost half of all small businesses have been the victim of a cyber-attack. To really get clarity on this issue, in the course of your typical week running errands, ask small business owners about cybersecurity. The conversations will most likely be very enlightening and more than a little bit worrisome. A simple question such as: How do you handle your computer security? or How do you defend yourself against cybercrime? will result in one of the following real-life answers the majority of the time: Well, the same company that hosts our website protects us. We re good. Oh, we use antivirus, so we re ok.

3 All our stuff is stored in the cloud so it s safe. We re a chain, so corporate handles all that , web stuff. They make sure our systems are good. We re not responsible for it I don t think. The banks handle everything pretty much. If someone uses a fake card or stolen card, we turn it over to them. Usually we fill out some forms and file a report. It happens a lot. From here you can ask a few more lightly probing questions, such as Have you ever been the victim of a cybercrime? How so? What happened? What kind of stuff affects your business? Responses will be along the lines of the following real-life examples: I don t understand that stuff. It costs too much. Nothing has happened that I know of. We paid this local web designer to build our site and host it. It seemed cool and he was fast! About a month later, our site was hacked and they got into our Facebook page too. That guy wouldn't return our calls. I think they got into our database or something. Hackers stole our login to our main suppliers online purchasing system. They pulled out all sorts of info on customers and sold it all online. It was traced back to us, but we didn't do anything. Now we can t buy from them. They may get sued and in turn might sue us. A nurse who works here got one of the laptops stolen that we were trying out from the medical equipment company. Turns out it had lots of patient info on it and WiFi info from the other offices that had used it. The company told us not to talk about it. I probably have, but I don t know. I use the same password on like a dozen sites for banking and purchasing and payments. Probably shouldn t, but I do. I can t keep up with the threats anyway. I don t have time. I ll cross that bridge when I come to it. If the small business owner is fairly tech savvy, you could probe a little deeper and ask about their networking. Questions like, I see you re using a Linksys E900 wireless router for your WiFi - have you had any issues? Are you running the latest firmware? Typically you ll get a response similar to either of the following: No, no issues at all. Set it up out of the box, haven t had to touch it in 3 years. I should probably upgrade to be faster, but it s working well and I m afraid to touch it! My customers can get on too through a guest network, so I d have to interrupt them.

4 Small Business Has a Big Impact on the Enterprise Supply Chain Small businesses simply don t have the time or energy to put towards security. They have enough to do worrying about the success of the business that is their life s blood. They rightly spend their time and energies making ends meet. But small businesses keeping in the dark about security can cost them their entire business. And their insecurity is an everyday problem for larger organizations in the commercial supply chain. Small businesses are on the front lines in the round-the-clock cybercrime battle. Small businesses, each and every week, lead to big business breach, data loss, customer loyalty issues, hits to brand and reputation and, of course, direct impacts to financial bottom lines. Yet, the percentage of enterprise IT and Infosec resources and budgets spent on this front line of defense pale in comparison to the amount spent on security engineers, project managers, hardware appliances, firewalls, software log aggregators, deep-packet inspectors, netflow analyzers, and web snooping systems and a hundred types of endpoint security monitors. It s not just about the enterprise network but what other users and systems have access to that network. Small business insecurity costs big businesses customers, intellectual property, valuable R&D budgets and ultimately impact the bottom line. 5 Critical Tips to Secure Small Business Backdoors In order to ensure a safer ecosystem for organizations large and small, the enterprise has to take on more responsibility for handling the Recent Examples of Small Business Backdoors in the Supply Chain Target s POS system was compromised through Fazio HVAC s company network. Reuters news site was compromised by Syrian Electronic Army hacktivists through startup content discovery platform Taboola. CNN, Washington Post, and Time were compromised by hacktivists through Outbrain, a downstream content syndication provider. Several travel sites had customer payment information stolen when EZYield, a small travel reservation service was breached. AutoNation was compromised by TradeMotion, which has less than 100 employees. LoyaltyBuild caused a 500,000+ card breach, heavily affecting grocery chain giant SuperValu, which has 224 stores in Ireland. Patient data from a Florida hospital operated by Advanced Care Hospitalists PL was breached through a billing company, which "was run by two women who were running a trucking company out of the same home address." Malware planted in a Chinese restaurant s online menu inadvertently downloaded code on oil company executives machines that gave the attackers a foothold in the business network.

5 security of their small business partners, suppliers and customers. In order to do this effectively and offer the right solutions, the larger companies must begin to apply the same approaches to cybercrime analysis that they do to R&D, marketing, finance and sales. Small businesses simply don t have the resources or budget to focus on cybersecurity, so here are tips for larger organizations to shore up these potential backdoors in their supply chain: 1. Start compiling business intelligence data around your cyber risks. Conducting data analysis on more than just your internal low-level log files, network appliance outputs, packets and other cyber data is essential. Understanding your organization s risks form the outside-in can serve as a distant early warning system for your enterprise security. This means collecting data that answers questions such as: Who are your current suppliers? Who s been hit and how? What types of businesses do they run? What are their roles and responsibilities to your business? Who are their suppliers customers? What software and systems do your partners and customers use? In what ways do external companies electronically interact with the larger company? What are their roles and responsibilities? What software do they use that s vulnerable today or yesterday? Which partners and suppliers were affected by an attack? 2. Require Multi-Factor Authentication. For all enterprise web apps and web services, it s essential that you implement a two-factor (or more) authentication and authorization practice for anyone holding an account on your applications or network services. Today, multi-factor authentication is readily available through many SaaS providers and is becoming more and more inexpensive making it an essential part of your enterprise security umbrella. 3. Use VPN solutions and more private B2B systems. Requiring VPN access for all remote employees, salespeople and partners who need access to your web and network services should not be overlooked. In particular, as enterprise networks and services are increasingly accessed from more clients, good mobile VPN adoption is a must.

6 4. Continuously educate and train your employees, partners, suppliers and customers on cyber defense best practices. Most enterprises completely ignore the responsibility of educating and training their employees and especially partners in core, fundamental cybersecurity concepts and cyber defense operations. Today, active software platforms and video game-like systems exist to make training large numbers of partners easy and affordable while at the same time delivering immediate results in a highly-raised level of awareness. But it doesn t just stop at training and education it should continue through information sharing networks that are easy to use and free to those in your supply chain. 5. Invest in anti-malware and anti-phishing solutions. While anti-malware solutions are typically already in place at the enterprise, by springing for anti-malware solutions for your trusted (and untrusted) partners you are making an investment in your own security. Another important investment area is on anti-phishing solutions and education since the majority of successful and costly exploits against enterprises start as phishing campaigns against employees and partners with critical access to corporate software systems, networks and other services. Of course there are many more tips for securing small business backdoors in your supply chain, but the above list is a good starting point to lower your overall risk exposure. Conclusion It s time to invest in the critical data and analysis in an area that is likely not getting as much attention as it should. It will make businesses large and small and consumers safer in the long run. This means the enterprise needs to take on the burden of: continuously alerting those in the supply chain about cybersecurity issues allowing partners, suppliers and customers into the enterprise s threat networks extending out security solutions to those in the supply chain directly pulling the small guys directly under the info-sharing umbrella Larger businesses are usually very good at identifying cost and labor saving efforts that, initially at least, seem like the exact opposite. Down the line, these activities are usually labeled with works like smart or strategic or critical in front of the word investment. In this case, it s a sound perhaps vitally necessary investment.

7 About SurfWatch Labs SurfWatch Labs delivers cyber risk intelligence solutions that help organizations understand the potential for cyber-attacks, determine the impact to their business and proactively address threats head on. SurfWatch Labs was formed in 2013 by former US Government intelligence analysts to go beyond the low-level threat intelligence approach that can drown organizations in data. By aggregating and automatically analyzing vast amounts of data from a wide range of structured and unstructured sources, SurfWatch enables organizations to zero in on their unique cyber risk profile and ensure the most effective risk management strategies are identified and implemented. With SurfWatch, organizations can immediately understand and act on their cyber risk. SurfWatch Labs: Cyber In Sight. For more information, visit Contact us at: info@surfwatchlabs.com (866) Follow us at: