T-Mobile. Home Depot. Target. California State University. All are large organizations that fell victim to expensive data breaches because of a third-party vendor, nor are they alone in that list!
For any small to medium-sized business (SMB), there are two very important points to be aware of:
1) Small companies are, in fact, targets.
Whether they handle data themselves or simply have access to systems that do, hackers will target them and their employees to install malware, gain access, or otherwise steal any information or digital products they can find.
2) Large companies know this!
Larger enterprises are increasingly auditing or basing their contract choices off of what security a prospect vendor has in place.
Any cyber criminal would seek out the weakest link in the security fence, and more often than not, that is the smaller vendors that lack the millions of dollars to spend each year on their own in-house information security teams and programs.
Last year, numerous fast-food restaurants owned by both Wendy’s and CiCi’s Pizza were both hacked through the service providers for their cash registers, one via remote access and the other through social engineering to install malware. Oracle’s MICROS point-of-sale payment systems were also breached, impacting numerous retailers and hotels.
Even Netflix has recently had a breach through a third-party audio post-production company, where unreleased shows were stolen; Netflix refused to pay the demanded ransom, and the episodes were released to the public in late April, 2017. Other large studios who used the same small production company were equally threatened.
They are unlikely to be the last.
Hacked by chance: Larson Studios’ Nightmare
In a chilling description of the events surrounding the Larson Studios breach of the unreleased shows, it all came down to an old Windows 7 machine in the studio that the hackers stumbled across as one they could break into. Hackers do not necessarily target a company based on the value of what is secured; in some cases, they target purely because they found a hole to enter through, just as a thief would to an open window. The small, family-owned studio’s data was stolen, deleted from their servers, and held ransom by the hackers, before eventually being ransomed to Netflix and numerous other Hollywood studios in turn even after the vendor’s initial ransom had been paid.
Fortunately for Larson Studios, most of their clients and partner studios have decided to stick with them as they mutually work to tighten security. It has been a very difficult year for the small studio, and is both a warning bell and a wake-up call for the studio industry on the unseen risks of weak information security.
Such a breach could easily instead be a company’s death knell.
Many SMBs often provide independent services or systems to huge enterprises and rely on those contracts for their business. To be the source of a data breach could not only end that contract but also cause other clients to avoid or question your services, if not close down the entire business overnight.
With the numerous breaches, larger enterprises are more alert than ever to these risks, and most now audit their vendors’ security. A SMB could easily lose a contract simply because they lack a security program that a larger corporation is willing to risk their own reputation or security upon.
Tiro Security has many clients that are winning new business because they can lay out their security program from the start, reassuring their clients and potential contracts alike. We focus on SMBs, and so we understand how to work with them to make their budgets stretch as far as possible. We have evaluated many open-source and low-cost products; the pricing of the services we provide are typically less than half of what our competitors charge. We try our best to make InfoSec affordable for all companies, regardless of their size.