Over a third of enterprises are enforcing some form of cybersecurity compliance for their contracts with SMBs, according to a recent study. Security platform developer, CybSafe, repeated a survey they conducted in 2017 and found an increasing level of scrutiny in enterprise-level organizations of data compliance requirements for their suppliers. CybSafe claims that this trend has appeared in response to tightening cybersecurity regulations as well as the potential for lost business for not securing their digital infrastructure.
Security Compliance Contractual Obligations
The study results reflect a growing trend among public and private institutions of imposing more stringent demands on their partners for established network security practices. The former in particular has begun to strengthen obligations for third parties, especially for defense contractors in the wake of growing nationally-backed hacking campaigns. However, even businesses without government contracts will feel the pressure as well from mounting regulatory obligations in addition to direct scrutiny from law enforcement, intelligence agencies and legislative bodies at all levels.
State governments have followed the lead of Congress and other federal bodies in passing bills that take greater measures to protect personal data. Many of these impose restrictions directly on commercial entities as well as more impactful penalties for noncompliance, all in an effort to enforce stricter society-wide standards for cybersecurity that would prevent the types of breaches that have become all too common – and the type of long-term ripple effects they could eventually lead to.
Shift of Responsibility for Cybersecurity
Companies were once seen as the victims whenever a data breach occurred, but that perception has fundamentally changed – both in public opinion and legally. Modern courts see data-holding businesses as the inherent custodians of personal information. Any risk customers are exposed to because of a vulnerability is seen as the company’s responsibility, and penalization for noncompliance should correlate with the amount of risk clients face to their products, service or data.
The only good news for SMBs is that the size is taken into account when assessing damages, but only relatively, and risk and value of data exposed can supersede that. For example, a mid-sized 501(c)(3) nonprofit medical network based in Marlton, NJ was fined over $400,000 for a data leak a third-party service caused. The vendor’s employees created a network vulnerability that exposed patient files, but because the nonprofit owned the data and employed the third party, the responsibility – and the financial penalty – fell on them.
Supply Chain Management – Third Party Security
A 2018 Ponemon Institute study found that 61 percent of US companies that suffered a breach had it originate with a vendor or supplier. It also found that on average, American businesses worked with almost 600 third-party partners. This constitutes a huge attack surface with an extensive amount of endpoints to monitor and no focal point for network security controls to be implemented.
Cybersecurity is increasingly becoming a team sport due to the connected nature of many value chains. Specifically, the proliferation of network endpoints means that any hacker looking for access to a larger system would have an easier time going after their suppliers with less protection. Cybercriminals only have to go so far down the supply chain to find a business with an overlooked exploit in their software, and trace through established vendor channels featuring two-way communication nodes until they reach an undefended gateway.
Ironically, perhaps the most useful example of this comes not from a damaging external attack, but from the internal breach at Capital One. Though few would consider Amazon Web Services a small vendor, it still illustrates the risk inherent in shared security, and the impact the data breach will have on Capital One will likely affect business negotiations for years – if not decades – to come. A lack of clearly defined cybersecurity guidelines and roles will always lead to one party facing greater risk, and greater risk means there are more chances to lose revenue and ROI.
Protect Your Business with Cybersecurity Best Practices
Compliance with industry and government information security obligations will becoming increasingly integral to maintaining your business as trade associations and legislative agencies try to limit the widespread damage unsecured networks can cause. Get ahead of the curve by learning and implementing the latest cybersecurity best practices.
Download this free eBook from SWK to catch up on the best tips and tricks for your company’s cybersecurity.