By Matt Pillar, chief editor
Ever since news spread that an HVAC contractor was the alleged vector in the massive Target breach of 2013, IT security consultants have been ringing out a common refrain: thoroughly vet your third-party contractors, especially the small ones. Restrict and monitor their access to your network and applications. Maybe even think about moving away from small business partners in favor of contracting with larger, well-heeled partners who are, presumably better equipped to thwart cyber threats.
Not bad advice, with the exception of the broad-brush generalization about the dangers of working with small partners.
A just-released study from (ISC)² offers up data that suggests discriminating against small business partners is an unfounded and unreliable “strategy” for minimizing cybersecurity risk. For its Securing the Partner Ecosystem study, the organization surveyed more than 700 respondents at both small businesses (with fewer than 250 employees) and large enterprises (1,000+ employees) to learn how data sharing risk is perceived. As you might expect, even all these years after the harrowing details of the Target breach spread like wildfire, half of large enterprise execs surveyed said they view third-party partners of any size as a cybersecurity risk.
Interestingly, only 14 percent report experiencing a security breach at the hands of a small business partner. Asked if their secure networks had been breached as a result of working with a large third-party partner, 17 percent responded in the affirmative.
Beyond the interesting refute of the “small partner = security risk” argument, this research is important to IT service providers on several fronts. As a third-party partner to your clients, this peek into the client psyche is instructive. It should inform the way you sell and your approach to service, as well as the way you pitch the outside partner resources you’re bringing to the client party. Equally important, it should guide your consultation with clients about the way they’re securing data when they bring partners to the party.
The (ISC)² research found that nearly two-thirds of large enterprises outsource at least one-quarter of their daily business tasks, which requires them to allow third-party access to their data. It also found that access management and vulnerability mitigation is often overlooked. For instance:
- 54 percent of small businesses have been surprised by some of their large enterprise clients’ inadequate security practices, and nearly the same number have notified their clients of said vulnerabilities.
On the flip side of that…
- 35 percent of large enterprises admitted that when alerted by a third party to insecure data access policies, they do nothing to correct the problem. To an IT service provider, that stat suggests both a risk and an opportunity. How likely is it that your clients are ignoring the security best practices you’re prescribing? How likely are those clients to blame you in the event of a breach? And, how big is the market opportunity for security-minded tech service providers to go out and correct these errors of ignorance?
- More than half—55 percent, in fact—of small business respondents reported that they still had access to a client’s network or data after completing a project or contract. That’s a huge vulnerability, and it’s a giant opportunity for IT service providers to provide corrective services.
Regardless of organization size, respondents shared these top three cybersecurity strategies:
- Regular automatic scans with antivirus and anti-malware programs
- Blocking access to known malicious IP addresses through firewall configuration
- Strong email filters to prevent phishing
Those are all fine baseline safeguards. They leave a lot of room for you to pitch IT security consulting services, additional cybersecurity applications and tools, and cybersecurity training and awareness programs. That is, if you can overcome the misperception that your small business poses a greater security risk to your client than your bigger competitor down the street.
Check out the full 2019 Securing the Partner Ecosystem report from (ISC)² at https://www.isc2.org/Research/Ecosystem