In July, the Australian airline Qantas confirmed a data breach that it said originated with a vendor’s customer service platform, affording hackers access to the personal data of up to six million Qantas customers. That news came soon after multiple healthcare providers revealed they had been victimized by an attack on Episource, one of their service providers, exposing the medical records of some 5.4 million patients.
Notice a trend here? In each case, a third party within the victim’s ecosystem unwittingly provided an entry point for cyberattacks, according to reports. The big lesson from these incidents is a company’s cyber-defenses are only as protected as the organizations within their business ecosystems.
As the cyberattack monitoring organization Security Boulevard noted, “Third-party vendors often represent the weakest link in corporate data security. Even non-critical services like customer support must be held to strict security standards.”
If findings from a recent Kinetic Business report are any indication, some of the small and midsized companies (SMBs) inside your business ecosystem could put your organization at risk. The report, based on a survey of more than 300 small business owners, operators, and managers across the United States, found a troubling disconnect among SMBs, whereby they recognize the growing threat of cyberattacks and want to take measures to protect their organizations, yet often lack resources to invest in better defenses. While a solid majority (59%) acknowledged their business must improve cybersecurity, only about half (49%) indicated their organizations intend to invest in cybersecurity technology this year, and 52% said they aren’t confident in their organization’s preparedness for a cybersecurity threat.
This is a big red flag — and a call to action — for the many enterprises whose business ecosystems include SMBs. The risks of third-party breaches are too real and the stakes too high to ignore. A recent report from Mastercard found that 46% of the more than 5,000 small and medium-sized business owners it surveyed experienced a cyberattack on their business. Meanwhile, almost one-third (31%) of cyber-related insurance claims were attributable to breaches originating with a third party, according to Dark Reading.
Given how common third-party breaches have become, organizations must act decisively to curb the cybersecurity threats inherent in modern business ecosystems. Start with these five steps:
1. Take stock of your own organization’s cyber defenses. First, ensure your own house is in order. Evaluate your company’s cyber risk profile, conduct an audit that includes a penetration test, which analyzes defenses and identifies gaps at the remote, in-office and cloud levels across the entire organization, and take any necessary steps to address shortcomings and gaps.
2. Set the cybersecurity bar high inside the business ecosystems your company participates in — and ensure everyone clears it. After assessing your own organization’s cyber defenses, now turn your attention to others within your business ecosystems. What’s needed here is a “trust but verify” stance, where your security team creates a set of well-defined cybersecurity standards and requirements with which the entities within your ecosystems are expected to comply. Your security team then can request reports or audits from those entities to ensure they check all the required boxes. Meanwhile, other entities within the ecosystem should also assess your organization’s cyber defenses, fostering a collaborative culture of security across the ecosystem.
Ultimately, the goal is to gain assurance that your counterparts within a business ecosystem, SMBs and otherwise, have security measures in place that are appropriate to their specific risk profile.
3. Foster regular and open communication and collaboration between organizations and their security people/teams. Your security teams need to learn who their counterparts are at other organizations (chief security officer, for example) within the ecosystem, then connect with them regularly to share best practices and pitfalls, discuss compliance, alert one another to new and emerging risks, provide referrals to vendors and third-party cybersecurity experts, and keep one another apprised of other important developments on the security and cyber threat fronts.
4. Be generous in sharing your cybersecurity expertise with less sophisticated, more resource-constrained entities within your ecosystem. As the Kinetic Business report notes, many SMBs lack the deep pockets and in-house expertise to evaluate, acquire, implement and manage the cybersecurity capabilities needed to safeguard their digital networks and IT infrastructure. If that’s the case with any organization within your business ecosystem, you could pay it forward, for example, by giving those organizations access to your internal security experts for advice and guidance and offering vendor referrals.
5. Stick to the cybersecurity standards you establish for your ecosystem counterparts and be prepared to take your business elsewhere if an organization can’t — or is unwilling to — meet them. The members of your business ecosystem should be held accountable to meet one another’s cybersecurity requirements and expectations (as long as they are within reason, of course). Establish processes and protocols for regularly verifying that other entities are meeting your requirements.
Losing a valued vendor, supplier or partner isn’t optimal. But as companies that have been victimized by a cyberattack initiated through a third party can attest, taking proactive, preventive measures sure beats dealing with the costly aftermath of a serious data breach.
