The problem with information security is that there are no absolutes. Even with the very best efforts, no security system is impenetrable and for business, it makes information security a tricky issue to address. Keeping up to date with the latest security patches may be vital but it's only one of many tactics to ensure information is kept safe and secure.
Large organisations are beginning to look outward and consider the potential threats from cyber-security weaknesses outside the organisation, with the supply chain an important area that forward-thinking CIOs and CISOs are looking to lock down. Small and medium-sized enterprises (SMEs) dealing with larger businesses now need to start taking sensible precautions to ensure they are taking their customers' and partners' data as seriously as they do their own IT systems, software and networks.
This means that the next big battleground for SMEs will be in ensuring their enterprise customers see them as a “trusted vendor” in IT security terms. For example, the 2014 hacking of Target in the US that has already cost the company $252 million – and costs could rise up to as much as $1 billion – occurred after the company's air conditioning supplier's IT systems were breached, allowing access to the vendor's credentials. On the other side of the pond, hackers gained access to retailer Debenhams' customer names, addresses and financial information via their florist supplier between February and April 2017 – with the retailer unaware of the breach for seven weeks before the attack was exposed. It's true for all forms of security that you are only as secure as your weakest link and in these two cases the weakest link, and therefore the easiest attack vector, was found to come via the supply chain.
The Technology/Human Equilibrium
According to the Online Trust Alliance, 90 percent of cyber breaches in 2016 were preventable. Many of these occur as a result of poor cyber-security practices, negligence or ignorance. This comes against the background that nearly half of British businesses discovered at least one cyber-security breach or attack in the past year, rising to two-thirds amongst medium and large companies. It is clear that businesses that cannot successfully demonstrate cyber-resilience – and become a true trusted vendor – will lose out on lucrative contracts as cyber-security becomes more important.
Becoming this trusted vendor will rest on three essential tenets of cyber-security: technology, process and people. Suppliers will have to demonstrate that they have the right technology and process in place to protect their customers' data, and that their employees are not part of the 90 percent that could have prevented ‘that' breach. This will be through demonstrating the right level of security technology software, appropriate to the individual business sector and the client data that sector handles.
As vital as the reactive technology and process – firewall, anti-virus, end-point protection – are to a business, so too is the proactive technology – that human element which can prove to be the business' best cyber-defence. If an SME can empower and educate its people on managing cyber risk, it will be favoured in future business tenders; as cyber-security becomes a normal course of the due diligence process.
Engage and Empower
The “trusted vendor” will be the SME that can show that its security is up to an enterprise standard. This will include the technology covering issues such as data location and encryption, but also staff training programmes that provide a kite mark for cyber-security. This means a demonstrable and effective employee training programme could be crucial in this new landscape. Organisations must not only ensure that their own IT systems are protected, but they must also seek confirmation that suppliers are also protected and taking cyber-risk as seriously as they do.
Some steps that SMEs can take to become a quality-assured trusted vendor will include:
- Ensuring that your workforce is engaged throughout the cyber-risk chain – there is evidence of cyber-security inertia among employees. SMEs must gain the buy-in from employees for them to understand that IT security is not simply a ‘business' issue.
- Providing regular training to tackle prescient threats – behavioural science has demonstrated that people absorb more information in small, regular chunks rather than big doses of data. So, a half day IT training course every six months will not be as effective as bitesize training sessions every week.
- Empowering employees to become your most effective firewall – no one ever wants to be the weak link in the chain. By giving employees the tools and skills to fight cyber-crime, businesses will create the most effective firewall possible – its people!
The business owner or IT manager that can do this will achieve a level of behaviour change throughout the workforce, which can have a longer lasting effect on a business and its level of cyber-risk.
Cyber-security as a value creator
For SMEs, cyber-security also represents a business opportunity. By achieving trusted vendor status, cyber-security becomes a value creator – a key differentiator against competitors.
For enterprise, it's neither practical nor commercially viable to take responsibility for the implementation of appropriate cyber-security practices and systems in the companies within their supply chain. However, what they can – and should – do is demand that their suppliers take responsibility themselves as part of the normal due diligence process. Becoming a trusted vendor will prove vital for SMEs, and increased focus on the human aspect of cyber security training, and not only the technology, will be a key differentiator.
Contributed by Oz Alashe MBE, CEO and founder, CybSafe
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.