By Evan Schuman
Yet another recent report confirms the obvious, that SMBs in general do not take security seriously enough. The truth is a bit more nuanced than that, of course—SMB execs generally take security very seriously, but they don’t have the dollars to do enough about it—although it amounts to the same thing.
This year, though, SMBs are going to have to look at security differently. Why? That is because enterprise execs are repeatedly seeing their own networks hurt because of less-than-terrific security from SMB partners that do distribution, providing supplies or handling anything from backup to bookkeeping. Faced with their own security mandates—whether from PCI, HIPAA, European Union or any other external body—they are going to crack down on SMB partners.
Hence, unless you want those enterprise-level contracts to take a walk, your security return-on-investment (ROI) calculation just got a lot messier.
What new actions can SMBs expect from their enterprise-level partners in 2016? Until now, most have satisfied their obligations and kept their corporate counsels at bay through contractual agreements. In short, they put in their partner contracts that the partner is obligated to comply with a laundry list of security measures. Write it down, make SMB partners sign it and they’re all done.
The problem with enterprises going solely with the contractual obligation route is that the proverbial stick (as in carrot and stick) is limited to reactive situations. If something bad happens with the enterprise operation’s security and a forensic investigation eventually points the finger at the SMB partner and that probe specifically concludes that the SMB had violated the contract’s obligations, that SMB partner doesn’t merely lose the contract. They will also certainly be sued for the resultant damages, which could easily bankrupt some SMBs. That’s sufficient incentive/deterrent, right?
Not anymore. From the enterprise’s perspective, that stick only kicks in after a breach and only if enough evidence exists to tie it back to the SMB partner. Given the ever-increasing talent of many cyberthieves to hide and delete their trails, it’s a gamble that many cash-strapped SMBs are willing to take. What are the odds of both of those things happening, those SMB execs think, given the vast security arsenal deployed by their multi-billion-dollar enterprise partner?
Therefore, to up the real—as opposed to merely pledged—compliance with its SMB-partner security rules, enterprises are going to start surprise snap inspections and demanding access to sensitive IT systems. Some might even go so far as to try and entrap partners by creating fake sub-suppliers to respond to the SMB partner’s RFPs and see if they follow the rules and demand what they are supposed to demand.
Why would enterprises go through this effort, seemingly to hurt partners? Because that’s what will be required. If XYZ enterprise doesn’t loudly and publicly expose and punish a couple of SMB partners, a sufficient deterrence won’t exist.
The whole point here is to change that SMB exec’s ROI calculation. By increasing the number of ways an SMB partner’s lack of security compliance can be caught/detected, they want that ROI to force those partners to invest the security dollars. The rationale is essentially: “If you won’t invest in security because you need to for your own company’s protection, or because you have signed a contract that you will, then do so because we need to make an example of somebody and you don’t want that to be you.”
Next Step: how to deliver the most cost-effective security. Once you have conceded to the new ROI calculations and have decided that you must increase your security budget, the natural inclination—especially in an SMB environment—is to calculate the absolute minimum dollars to comply.
This is also known as checklist security, which is frowned upon. That said, it’s a step-up from rolling the dice that you won’t get caught. Here’s a trick: Guarantee your safety by having your people work with the enterprise partner’s IT security people on what your options are.
You may be surprised at how reasonable they can be. The best part is that by doing so—in e-mail as much as possible, to create a powerful paper trail—you are protected. Despite the bogus reputation of enterprise IT that they don’t sweat pricing details, they do. No one is better at squeezing a contractor nickel than a Fortune 500 IT security manager.
Not only will they steer you to the most cost-effective options, but they might even make a referral for you, so that you can benefit from a small taste of your partner’s volume-purchasing pricing. They might even help you out by participating directly in those vendor calls. After all, you are a partner.
And because you are working with them—and don’t forget that paper trail—you can’t be blamed for choosing whoever the enterprise IT people suggested.
OK, in reality, you can be blamed for anything.