EtiAmmos - stock.adobe.com
A big IT security mistake made by many small and medium-sized enterprises, or SMEs, is not realizing they are a potential target for well-resourced and sophisticated hackers.
Their arguments run the gamut, from "We don't have much of a presence on the web" and "We're just a small player in our industry," to "Our turnover is small in comparison to our competitors" and "Hardly anyone's heard of us." These claims blindly assure SMEs they won't be victims of a targeted attack and provide them with what they believe are good excuses to not invest more heavily in cybersecurity.
Don't forget the supply chain vulnerability
But all companies -- big and small -- have customers. And those customers have customers. And somewhere along this chain of relationships exists the hacker's intended target. The target company probably has strong security controls in place with a dedicated security team monitoring the network for malicious intrusions and suspicious behavior. Overcoming these protections is one reason why supply chain attacks have become a common tactic. Here, hackers use one of their target's suppliers as a steppingstone to gain access to the main victim's network. The consequences of this technique mean every company in a supply chain needs to assume they are a potential target and must know how to prevent supply chain attacks by securing their data and networks accordingly.
Depending on the nature of the relationship, customers may require potential suppliers to show their cybersecurity strategy meets an acceptable standard and they have effective processes and controls in place to detect, respond, mitigate and recover from breaches and other security events. In fact, many tenders for contracts stipulate that suppliers comply with relevant standards, such as those mandated by ISO 27001, PCI DSS, HIPAA and ITAR. Although obtaining certifications can be quite onerous and time-consuming for smaller companies, it does ensure that IT systems and the data they handle are protected and that employees are aware of their role in keeping data secure.
Audits and security reports play a crucial role
A slightly less arduous route for SMEs is to obtain a Service Organization Control 2 report, which provides assurances about the effectiveness of controls in place at a service organization, or a SOC for Cybersecurity report, which covers processes for handling enterprise-wide cyber-risks. Audits and reports are completed by an independent certified public accountant and determine if the audited entity is appropriately addressing its cybersecurity risks. If none of these options is affordable, then a self-assessment audit based on SOC 2 is an alternative that some customers will find acceptable.
A self-assessment audit is best conducted in two stages:
- Adequacy audit. This review demonstrates that policies and procedures protecting data and managing information risk are sufficient.
- Compliance audit. This is an evidence-based assessment of the implementation and effectiveness of policies and procedures.
By conducting an adequacy audit first, any shortcomings can be corrected prior to the start of the compliance audit. There is no point in checking whether a business unit or system is compliant if sufficient documented policies and procedures aren't already in place.
Once the adequacy audit is completed satisfactorily, the compliance audit can begin. This involves assessing the level of compliance with every mandatory policy and procedure in scope. It's important to focus the scope and the audit on areas that will be of importance to customers -- for example, location, business unit, system, application or project. Customers will be particularly interested in security controls such as strong authentication, encryption of data at rest and data in transit, business continuity plans and security awareness training.
Not just checking boxes
There are a number of other security controls suppliers should enforce to prevent supply chain attacks on their customers and partners, including the following:
- Strong authentication. Because stolen credentials are often used to gain a foothold in a network, two-factor or multifactor authentication should be mandatory for access to any sensitive or shared resources.
- Strong encryption. Encrypting data at rest and data in transit is critical to reducing the likelihood of a data breach.
- BCDR integration. Be prepared to integrate your business continuity and disaster recovery plans with your key customers to ensure there can be a coordinated response to any ongoing attack.
- Security awareness training and security job requirements. Make sure employees know what's expected of them, and train them to know how to detect and mitigate potential threats. Everyone's job description should include their security responsibilities.
- Security control checks. Systematically examining and verifying IT security controls provides important feedback on the state of an organization's security strategy, and it lets employees address how security affects their work -- both positively and negatively. It's also an opportunity to demonstrate the importance that senior management places on information security.
As long as the goal of the audit isn't seen as simply checking boxes but as an exercise to improve the protection of network resources and data, its structured and documented nature will result in a more secure IT environment.
Remember, cybersecurity costs money and its ROI cannot be easily evaluated. However, security's effect on the bottom line is more critical than ever. Not only does a comprehensive cybersecurity strategy keep an organization's systems up and running and prevent expensive data breaches, but it also provides a competitive advantage when seeking new business.