Small Suppliers Must Beef Up Security

As larger companies shore up their defenses, attackers have shifted their focus to the smaller companies that supply goods and services to those enterprises in hopes of gaining access to the bigger targets' networks and data.

The trend appears to be gaining steam. In the first half of 2012, small businesses alone accounted for 36 percent of all targeted attacks, up from 18 percent at the end of 2011, according to data from Symantec. Overall, about half of all targeted attacks hit SMBs in 2011, the security firm's annual Internet Security Threat Report says.

Retailers, restaurants, law firms, and doctors' offices have all found themselves increasingly in the crosshairs, but firms that partner with larger enterprises are at more risk, says Brian Burch, vice president of Americas marketing for SMB at Symantec.

"The bad guys know that the best way to try to penetrate not only the small business, but also potentially the clients of that small business, are to go in, lie and wait for an opportunity to find a vulnerability," he says. "Then you can get two for one."

The trend has not gone unnoticed. Small-business associations are increasingly exhorting their members to focus on data security and warning them that larger customers will expect a more mature approach to safeguarding data and access. Speakers at the Business Matchmaking initiative, for example, regularly warn the group's small-business members to better secure their systems, says Chuck Ashman, CEO of SMA Global, which runs the Business Matchmaking program.

Supplying the needs of large enterprises is a $300 billion market, estimates the SMB Group, an analyst firm. A number of organizations--such as the Business Matchmaking initiative and Supplier Connection, an IBM-supported approach--have cropped up to help small businesses find a good fit. These groups are also warning the businesses that their clients will start requiring better security, says Ashman.

"The conclusion is that there is a new environment for small business," he says. "If they want to sell to the federal government, if they want to service corporate America, they have to be able to demonstrate--and they should want to, anyway, for their own protection--the ability to hold onto what they have."

While regulations and mandates may not be on the way, small- and midsized businesses should expect that contract language will crop up requiring them to take prudent measures to protect security. Moreover, if a client or customer is required to abide by one of the various regulatory frameworks, the supplier will need to follows the rules as well.

For many small companies, the requirements will boil down to a simple philosophy: Take security seriously. For others, it will be more onerous.

[More than half of all small and midsize businesses have suffered a data breach, most which could be prevented by better training, policies and a smattering of technology, study finds. See SMBs Unprepared For Security Breaches.]

Up-to-date antivirus software and a firewall are not enough. Companies need to know when they are breached, and that requires more analysis than most SMBs can easily do. For that reason, small businesses should do some soul searching, says Rocky DeStefano, CEO of Visible Risk, a security intelligence firm.

"Is the security component part of their core competency?" says DeStefano. "They need to have the right visibility into their systems, and that is not going to come from an AV log or necessarily a firewall log."

Adding more security, whether as a managed service or as a homegrown security team, could break the bank of most SMBs, says Eddie Schwartz, chief information security officer for RSA. Larger companies should help their smaller suppliers to create a more secure service and protect their data better, if it makes sense, he says.

"In some cases, if you are a large organization, you may have to take on the cost of securing your supplier in some way," he says. "That's just the cost of doing business today."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.