Supply Chain Security and Your Small-to-Medium Business

Are you meeting minimum cybersecurity standards?
Are you meeting minimum cybersecurity standards?

 

When your credit card was skimmed at the local gas station, you stopped going there for a fill-up. When an online retailer was hacked, and your information was stolen, you got smarter about sharing data. When an odd text message asks you to click the link, you delete it. As consumers, we’re well aware of the cyber risks around us. But what about as business owners?

Have you asked your vendors and partners about their cyber posture? Are you meeting minimum cybersecurity standards? Have you created a system security plan?

Hacks and attacks are costly to businesses, particularly small businesses, which account for 90% of cybersecurity breaches worldwide. The losses can have devastating, operations-ending effects—particularly if they spread to other companies in the supply chain.

The federal government is pushing to secure supply chains and protect U.S. critical infrastructure. Other organizations are joining the effort, too. Understanding the regulations and assessing risk can help business owners take strategic actions to protect themselves, limit supply-chain vulnerabilities, and make smarter cyber investments. Here’s how.

The problem: Risk spreads

When systems connect so data can flow out to vendors and subcontractors, cybersecurity risk can also flow in.

Protecting yourself is obviously the first step, and plenty of frameworks and standards have established best practices for handling and storing data. But small businesses often find that cybersecurity is out of reach—too complex to handle without outside expertise and too expensive to squeeze into tight budgets. So, they wait.

That delay is the target of regulatory actions, in essence, forcing companies, even the smallest ones, to get on board with cybersecurity now or lose opportunity. Knowing that cybercriminals prey on the weakest links means change must happen in small businesses.

Industry crackdown

Realizing that a top-down approach was needed, the Federal government started with its own agencies and contractors. The National Institute of Standards has developed cybersecurity standards, guidelines, and best practices, and the Department of Defense introduced Cybersecurity Maturity Model Certification (CMMC), requiring contractors to prove their compliance.

Similarly, the nonprofit StateRAMP has established common standards for cybersecurity on a more local level. It already has 30 cities and states participating, encouraging companies to invest in cyber to qualify for business opportunities. Industry leaders, including Allstate, Booz Allen, General Dynamics, and Leidos, have also established minimum requirements for their suppliers.

Will you need to meet cyber requirements to keep business? Or to go after new leads? A quick assessment of your customers and their connections can reveal the answer.

As mandates move through industries, thousands of subcontractors, vendors, and suppliers will need to show compliance—and attest to the security of their supply chains. This means that millions of U.S. businesses, even those several steps removed from government or big business work, will also need to meet cybersecurity standards—or risk being classified as unsafe.

Assess, ask, verify

Small and mid-size business owners have already started to assess their risk. Millions have decided they are too small to matter to hackers, but they are using bad math.

Instead of considering how much hackers might gain from a breach, business owners need to consider how much they might lose. Data losses and customer impacts routinely shudder small businesses and consume reserves, costing far more than implementing basic cyber hygiene would.

To understand the scope of a business’s cybersecurity needs and the associated costs, companies should plan to meet with 3-4 outside cybersecurity firms. The process is educational, although there is a steep learning curve. Each free consultation should include questions about the company’s IT systems, business model and goals. Ethical practitioners will provide transparent pricing and explain options, schedules and plans to maintain and monitor security.

Companies can also reduce cyber risk by vetting their own supply chain and asking pointed questions about cybersecurity or proof of compliance. Asking about cybersecurity posture is like asking about a company’s credit rating—it offers an objective look at business health. But just asking isn’t enough—smart companies will take steps to verify the information that partners supply and confirm cybersecurity as if their own security depends on it (because it does).

Beyond the supply chain

Cybersecurity requirements will soon move beyond supply chains. Banks and credit cards may require cybersecurity standards for companies to use their services, and internet service providers could require minimums to connect businesses. Concerned consumers are already influencing Main Street businesses, asking why data is being collected, how it will be used and stored, and holding companies responsible when breaches occur.

Cybersecurity makes sense for any business hoping to operate in today’s regulatory climate. For small-to-medium businesses wanting to protect themselves, their customers, and their supply chains, it’s an investment that can’t wait.

About Edward Tuorinsky 1 Article
Edward Tuorinsky, CEO and President of DTS, a government and commercial consulting business, brings more than two decades of experience in compliance and management consulting, information technology and cybersecurity services.