Cybersecurity best practices for digital businesses have been discussed ad nauseam. However, there’s comparative silence when it comes to securing non-digital businesses. Today’s reality is that every business has at least some digital components. Even if it equates to simple e-mail access, a CRM system or services that involve internet-connected devices, any instance of a digital footprint results in cyber risk, meaning even seemingly straightforward, non-digital industries like food and beverage, paper or janitorial aren’t necessarily safe.
Take
Target’s massive 2014 breach. Hackers infiltrated Target’s network by stealing networking credentials from a third-party HVAC vendor. Because the HVAC company had external network access -- and, even more shocking, because the vendor wasn’t restricted from Target’s payment system network -- hackers were able to inject malware into Target’s point-of-sale devices and collect card records from live customer transactions. Ultimately, the HVAC vendor-induced breach exposed upwards of 40 million debit and credit card accounts.
Even Well-Intentioned Actions Can Create Risk
Tactics as malicious and elaborate as the 2014 Target breach aren’t the only way vendor-induced breaches can occur. A paper supply vendor could easily become friendly with a client organization’s employees, for example, and see something on an employee’s desk they shouldn’t be privy to. Perhaps they borrow an employee’s computer to check their email and click on a nefarious link. Maybe the paper supplier is fired and retaliates by stealing one of the client organization’s laptops and connecting it to a coffee shop’s insecure Wi-Fi.
See also: How Digital Platform Smooths Operations
Even well-intentioned, fundamental business tasks can cause a debilitating, vendor-induced breach. Say an electrician sends its client organization a digital invoice. This creates a digital path that automatically has the potential to be breached. E-mail phishing, too, can affect any third-party vendor and customer relationship. Posing as a trusted customer contact, hackers can leverage social engineering to trick vendors into voluntarily sharing sensitive information about their client organization.
Cyber Insurance Mandates Require Education and Specificity
Because of the serious cyber risk that third-party vendors like HVAC, paper supply or janitorial companies can introduce, more and more large enterprises are requiring their vendors to purchase cyber insurance. In fact, according to
recent research conducted by my company, nearly half (46%) of small and medium-sized businesses are buying cyber insurance due to contractual requirements with larger companies. Not only can cyber insurance help lessen the financial blow of a cyber attack, it can also help reclaim an organization’s holdings if malware infects the company network or a hacker shuts down access to the server.
Despite the clear benefits of mandating third-party cyber insurance, the majority of vendors -- especially ones not overly comfortable with technology -- don’t know where or how to acquire it. It’s no longer enough for large enterprises to simply institute a cyber insurance mandate; they need to also educate their vendors on the specific cyber risks they pose and explain why cyber insurance is so critical. Ideally, enterprises should also work with each third-party vendor individually to find cyber insurance plans that match their unique needs and role within the larger organization.
See also: Global Trend Map No. 12: Cybersecurity
You’re Only as Strong as Your Weakest Link
The adage, “You’re only as strong as your weakest link,” rings especially true when it comes to cybersecurity. Massive corporations like Target or even franchisers like McDonald’s can allocate all the resources in the world to cybersecurity, but, if they’re not also defending against the risks their vendors introduce, all it takes is one digital action -- even a well-intentioned one -- to wreak havoc. Take the time to educate everyone involved in an organization’s digital activity on the specific risks they pose, and protect everyone’s actions and assets by ensuring all vendors adhere to cybersecurity best practices and company-wide policies, invest in basic cybersecurity tools and implement comprehensive cyber insurance.