Recent research has shown a link between strong cyber security and business success among small businesses. But if you’re not convinced, then be prepared to never do big business with – well, big businesses.
Are You Worth the Risk?
Your business may be niche, unique, amazing. That on-trend product you manufacture with such skill may be just the thing that one of the big department stores would love to add to their offerings. But are you worth the risk?
While it’s true that we sometimes hear about data breaches in big companies, study after study shows that those most at risk of cyber-attack – and those least prepared for it – are small businesses.
When big businesses, who often have whole teams and eye-watering investment amounts dedicated to cyber security, work with you, they’re taking a risk. Because some of those breaches in big companies were caused by their dealings with small businesses like yours.
Supply Chain Breaches
In 2015, human factors – security breaches both accidental and deliberate, and inside an organisation or the supply chain – accounted for 21 of the 39 recorded breaches. Organised crime was reported as only responsible for 9 out of the 39.
Over the past few years, an increasing number of big news, big company cyber breaches have been found to be caused by smaller companies in their supply chain.
2013: Target suffered a significant breach, with hackers stealing 110 million customers’ data and details of at least 40 million payment cards. Cause? The initial breach was via a connection established by one of its vendors, Fazio Mechanical Services. Network credentials were stolen from Fazio and then used to access the Target network and steal data over a period of several months.
2014: Home Depot suffered a credit card breach, initially due to credentials stolen from a third-party vendor.
2015: A large London-based insurer suffered a third-party breach in which customers’ data was stolen. The protocols agreed with its supplier in their contract were not in place and it damaged the insurer’s reputation.
A large organisation based in East Anglia suffered two linked malware attacks within six months as a result of using an unpatched application component provided by a third party.
2016: A not-so-small third party, Hitachi Payment Systems, were unaware of malware in their system, which ran and operated YES Bank’s ATMs. 90 of YES Bank ATMs were affected and data of the cards used at these ATMs was stolen. Fraudulent transactions were carried out on 641 customers of 19 banks, including ICICI Bank, SBI, Axis Bank, HDFC Bank and YES Bank.
As for 2017; where to start?
Debenhams found that the personal data of 26,000 of its customers had been exposed by a breach suffered by the third party responsible for their online florist service.
A breach at Anthem Inc., the United States’ largest healthcare contractor exposed information on 18,000 customers.
The high-profile attack on the NHS’ 1.2 million patient-name database was achieved by hacking a third-party booking system.
And of course, cyber security is only as strong as the security of the users and their access. TalkTalk have suffered more than one breach. However, their £100,000 fine awarded in 2017 was due to a 2014 breach that occurred within Wipro, an IT services company in India to whom TalkTalk outsourced the resolution of some complaints and network coverage problems.
Three Wipro accounts that had been used to gain unlawful access to the data of up to 21,000 customers. Forty Wipro employees had access to data of between 25,000 and 50,000 TalkTalk customers, and could log in to the portal from any internet-enabled device. By using wildcard searches, they could quickly access and export large quantities of customer data.
Expectations v Standards
Perhaps the blame doesn’t lie entirely with small businesses. The Government’s Cyber Security Breaches 2017 report found that although 19% of businesses are worried about their suppliers’ cyber security, only 13% require suppliers to adhere to specific cyber security standards or good practice.
Some sectors are more concerned about their third-party partners. The percentage of firms concerned about supplier cyber security rises to 30% in the finance or insurance sectors 22% among education, health or social care firms – sectors we would expect to have documentation, only 19% set standards for their suppliers (although this rises to 36% among larger concerned businesses).
The Government’s report says these figures suggest “businesses may not recognise the potential they have to set and change supplier behaviour by insisting on certain minimum standards – and this could be an effective way of driving up cyber security across supply chains.”
However, the report also points out: “From the supplier point-of-view, cyber security might also be framed as something that can demonstrate their reliability and integrity to their business clients. This came out in the qualitative survey, where one firm of lawyers noted that they wanted to demonstrate to clients that they are a reliable firm and would protect their interests – one aspect of this was complying with customer questionnaires and audits testing their cyber security standards.”
Reliability Raises Your Reputation
Not only will good cyber security standards make your small businesses a more reliable and attractive proposition to large business, it will help keep your own business and your customers safe – and the tide does seem to be turning.
In July, a survey by CybSafe found that 1 in 3 SMEs have had their cyber security precautions questioned as part of contract negotiations in the last year, and 1 in 2 have had cyber security clauses added to new contracts in the last five years. 44% said they had been required to have a recognised cyber security standard, such as ISO 27001.
The threat of Information Commissioner’s Office (ICO) sanctions, General Data Protection Regulation (GDPR) (which could see businesses incur huge fines for data breaches) and an increasing awareness of the risks of reputational damage “mean enterprise organisations are increasingly looking at the security of their entire IT estate, including third party suppliers,” said the Cybsafe summary.
Yet the study also revealed that 1 in 7 SMEs selling to enterprise companies had no cyber security protocols in place at all – and less than half had begun taking data protection steps ahead of GDPR implementation.
The message is clear. SMEs must adapt or die if they wish to thrive.