Cybersecurity is essential for companies of every size. Given their extensive and more complex environments, however, large enterprises typically face more vulnerabilities than SMBs – and the successful blocking of cyber threats hinges on constant attention to a broad range of operational activities.
In our previous blog, we described the various issues that can put larger companies at risk if left unattended, including vendor connectivity, M&A activities, cloud storage, software patching, security talent and security training. Here are some best practices you can begin using to eliminate these weak spots in your infrastructure.
Minimize supply chain liability
The larger the enterprise, the greater the level of vendor, subcontractor, distributor and strategic partner engagement, and confirming the security of their data, storage and infrastructure is as critical as securing your own. There’s a delicate balance between ensuring security and optimizing efficiency. If the vendor-vetting process in your supply chain is too difficult, it slows down business and can create friction between the security team and other business units. If the process is too easy, the risk exposure can be tremendous – and that’s not good for anyone.
Within most companies, the vetting process typically involves lengthy security questionnaires that are often difficult to validate. Some enterprises lean on compliance frameworks and audit documentation but, more often than not, these practices are “one-time-only” measures that don’t monitor the ongoing security practices of smaller vendors.
The solution? A carefully curated diligent process that’s followed, not only for onboarding every new vendor, but also includes routine check-ins to ensure security is being upheld. Two best practices include:
Contractual cybersecurity measures
Today’s contracts need to go beyond agreements regarding deliverables and deadlines. They should include guarantees of data security measures by both parties – not just the vendor. Furthermore, these contracts should include regularly scheduled vendor check-ins or audits to ensure proper security measures are still in place. Not only will check-ins reaffirm that your vendors are upholding their end of the deal, it’ll also hold them accountable for maintaining a reasonable level of security. Much like industry audits, vendors found not meeting the standards of the agreed upon contract should be met with repercussions outlined in the contract, such as fines or rights to terminate the partnership.
Every contract should address supplier insurance coverage, limitations of liability and indemnification – including provisions regarding identity theft and data loss or corruption. Collecting and properly reviewing certificates of insurance (COIs) from every contracted supplier is cumbersome, but risk-management studies reveal that 80% or more of initial COI submissions do not conform to the language in the customer’s contract.
An even more frequent failure point is timing. A supplier’s multiple policies of insurance will never expire on the same date as the contract itself. Failure to proactively ensure that each policy is renewed and continues in effect through contract expiration can result in zero protection without the enterprise being aware.
Risk also occurs if the supplier switches to a new type of policy or changes insurance carriers when a policy expires, and the properly-worded endorsement of an organization as an “additional insured” fails to be implemented in the new policy.
Make cybersecurity part of M&A diligence
Enterprises may sometimes overlook the significance of cybersecurity risks within a company they want to acquire (the “target”) – including the risk that cyberattacks could already be devaluing the target’s digital assets without either party’s knowledge. Ideally, the M&A cybersecurity due-diligence process should address six categories of topics, including the identification and evaluation of the following:
- High-value digital assets and their relative importance to the target’s business
- Internal cybersecurity strategy
- Cyber risk management of third-party suppliers or partners
- Prior breaches and their ramifications, including:
- Data that attackers might have gained (or are still gaining) access to
- Data that attackers might have changed
- Cyber defenses that could have been revealed to the attackers
- Cybersecurity regulations, including compliance requirements, legal obligations and risks posed by any compliance failure
- Overall resilience to a direct cyberattack
Take charge of your cloud
Misconfigured software and services are now the leading cause of accidental exposures of company data. Configuration errors made while using cloud-storage services are common, and often occur when users set access permissions so someone outside of the company—say, a vendor—can see data. IT departments need to understand when a company’s assets are online, when software needs to be patched, how critical applications connect to each other and when developers are making high-risk changes.
There is also a misconception that a cloud service provider is in charge of securing its cloud environment. Not exactly. Cloud security providers, such as Amazon, Microsoft and Google, take care of security for their physical data centers and the hardware that the virtual machines run on, but they leave the individual customer in charge of protecting their cloud network and the applications and data housed within.
To secure their data, enterprises need to invest in either having an in-house or outsourcing a fully functioning, round-the-clock security operations center (SOC). This team will help ensure any and all workloads are properly configured and provide the right level of access and permissions to environments, as well as monitor, detect, analyze and remediate incoming cybersecurity threats. Having eyes on the activity in your overall environment 24/7/365 is crucial to the security of an enterprise.
Keep up with patching
Unpatched software is one of the leading reasons computers are exploited. With thousands of new vulnerabilities surfacing every year, as well as the countless threats that have been around for years, patching can be a challenge. The challenge is not insurmountable, however. By paying attention to widely exploited applications (Java, Adobe Acrobat, Flash, Internet Explorer), rewarding good patch management, avoiding unpatchable platforms and devices, as well as educating your teams, you can alleviate the chances of falling victim to a cyberattack.
Conduct ongoing trainings
In today’s world, firewalls and the oversight of skilled IT managers aren’t enough. Ongoing cybersecurity education programs for employees are also key to protecting hardware and data, as well as building awareness of the many “hacktivists” and cybercriminals that are continually emerging. Enterprises that don’t have the resources to put this type of training together themselves can often collaborate with their IT service provider on creating a program and providing educational materials.
Each day businesses are growing and making themselves more attractive to cybercriminals, who are also fine-tuning their methods of attack and searching for an easy way into your network. Although the nature of large enterprises offers more opportunity for attack, implementing stringent cybersecurity protocols into each aspect of your business – from M&A initiatives, to employee training and 24/7/356 monitoring – will help mitigate the chances of threat actors finding and exploiting a vulnerability.