Hacking one network to access another more lucrative network is a common hacker tactic. Increasingly, the first network to be hacked likely belongs to an SMB. When an SMB is networked with a larger customer, a vulnerability in the SMB’s network might translate to a vulnerability in the customer’s network. By hacking an SMB, a hacker learns how to get into the customer’s network, what that network can do, and about any access credentials and procedures. Hackers can lurk for as long as they like, looking all the time like an authorized supplier.
Online retailers with a database of credit cards could see those details stolen thanks to a virus or Trojan horse that infects a delivery company, manufacturer, cloud-CRM supplier, or any other company in their supply chain with access to their IT network. The hackers don’t have to act immediately. They can wait until Black Friday or Christmas.
That means SMBs’ IT security is coming under more scrutiny from their large enterprise customers. SMBs are also likely to see security operational conditions show up in their partner contracts. Failing an IT security test could mean not getting (or losing) a contract—and not just an IT-based contract.
The customer will want the right to show up for unannounced network, software, and facility spot checks. Naming and shaming is also likely. It’s in the larger customers’ interests to let partners know when one of their number has been caught with inadequate security and terminated.
Customers might also expect the SMB to agree to be held liable if a breach is traced back to it.
So far, enterprises looking closely at their supply chain and small business partnerships aren’t always liking what they find.
Kaspersky Lab’s Global IT Security Risks Survey found:
- There has been an eight percent fall in the deployment of anti-malware solutions on mobile devices.
- 44 percent of businesses don’t have a fully implemented security solution.
- 52 percent of respondents think that their organization needs to improve its incident response plans for data breach and IT security events.
Leadership required
Only 54 percent of respondents said they were sure senior (non-IT) personnel within the organization have a good understanding of the IT security risks their companies face. That is not an encouraging sign when 90 percent of businesses have experienced some form of external threat.
One thing cautious enterprises are likely to be asking themselves is if the leadership teams of their suppliers have made security a priority. Finding out those teams aren’t even aware of the scale of the problem will not reflect well.
The first job an SMB’s IT professionals face might be one of internal education.