When it comes to small businesses, possibly only 10 percent of them have a robust cybersecurity plan in place. That’s concerning considering some cyberthreats could introduce a catastrophic event, one that could cost a company its biggest clients, or sink the business entirely.
Additionally, there’s an expectation that there will be more third-party compliance agreement requirements in the coming years — where larger businesses insist companies in their supply chain meet a certain cybersecurity threshold.
“We’re already seeing that,” says Ross Patz, CHFI, CEH, IT & Cybersecurity Manager at Clark Schaefer Consulting. “Large businesses are requiring their vendors to complete a third-party risk assessment. And so the critical question becomes, can the business pass muster — does it have protocols and protections in place to withstand a variety of cyberattacks and mitigate risk to an acceptable level? If not, it could cost them the relationship.”
Smart Business spoke with Patz about the cyberthreat environment, third-party compliance, and how companies with limited resources can protect themselves and preserve their client relationships.
What are the more significant cybersecurity concerns?
At the end of last year, much of the conversation around cybersecurity was related to reports of malicious chips in the supply chain of major companies. There were also conversations about cryptojacking, which means injecting malicious code into website ads that try to use the host computer to mine cryptocurrencies such as Bitcoin and Manero. Bad actors were also using techniques such as virtual credit card skimming by injecting code into online shopping carts.
Today, the move to remote work has opened the door to new types of threats that are designed to exploit the current business models. Companies that had a pandemic plan, one that included cybersecurity risks, have largely been prepared to mitigate the new threats. Those businesses that didn’t have a plan now have to come up with strategies, ideas and business processes on the fly, which tends to breed vulnerability.
What’s the risk of being unprepared?
More and more, organizations are implementing and maturing third-party risk management programs. These are typically larger and/or regulated companies that require third parties to complete a questionnaire that assesses their cybersecurity risk rating. That rating is based on how well companies can protect themselves against cyberthreats.
That could put smaller companies in a tough spot. Executing a robust cybersecurity program can be difficult when resources and expertise are thin. And hiring a chief information security officer is often prohibitively expensive. Still, companies need to put together an information security program that meets the standards of third-party risk management requirements, or risk losing the business.
How can companies deal with these threats?
A well-executed cybersecurity program is the best weapon against cyberthreats. Building one that’s effective means both understanding the threat environment and designing processes and policies to mitigate that threat.
Smaller companies will often say that cost precludes them from implementing a cybersecurity program. But in reality, with larger clients requiring a certain level of competency, that potential loss of revenue is even more difficult to afford.
Companies without the capability to deal with these threats internally can turn to outside providers to provide that advisory role affordably. In these arrangements, there are regular checkups — sometimes monthly — to address issues and keep track of plan progress. Cyberthreats are a moving target and companies can always benefit from regular reviews and strengthening their position as new threats appear.
Businesses don’t have to become cybersecurity experts, but they’re going to be held more accountable for their cyber defenses. Fortunately, there are organizations out there that can help.
Published in Smart Business Columbus, November 30, 2020.