When it Comes to Security, Company Size Doesn’t Matter

omri dotan

The “Little Guys” Play a Major Role in Preventing Breaches

The network security of a small, third-party provider of heating, ventilation and air conditioning services was compromised when an employee fell for a phishing scheme. Why should we care? That breach resulted in 110 million payment card and customer records stolen and millions of dollars in damages for this provider’s customer: The Target Corporation.


Most large manufacturing organizations have well established procedures to manage physical, transactions and compliance risks in their supply chains in order to mitigate potential issues. These risks are identified, monitored and plans are developed to manage their potential impact. However, these same organizations rarely apply this methodical approach to their vendors’ cyber security risks, considering these to be the domain of IT or simply outside their control. With information such as intellectual property, trade secrets or customer data shared across a supply chain, the cyber security of any one chain is essentially only as strong as that of its weakest link. Usually that means the smaller businesses.

In the last five years, Symantec reports observing a steady increase in attacks targeting businesses with less than 250 employees, with 43 percent of all attacks targeted at small businesses in 2015 alone. Cybercrime groups often deliberately target a company through its smaller suppliers and vendors, which may have fewer security controls in place. Take the notorious Dragonfly/Energetic Bear attacks that compromised the industrial control system (ICS) software of U.S. and European energy and pharmaceutical companies. One of the access points was through a European manufacturer of PLC devices; the malware was inserted into the vendor’s software driver package. With any point in the supply chain being a potential cyber security risk, manufacturers need better visibility into the cyber security technology and protocols used by their suppliers, of all sizes.

Today’s main cyber security and compliance challenge for any size organization are sophisticated, advanced attacks, which require constant adjustments of defense systems, as well as the need for ongoing tedious management of security patches. To address this, large manufacturers invest substantial funds and resources in a stack of parallel security solutions to protect themselves against the same threats. It has become similar to buying multiple insurance policies for the same risk – unfortunately, often with little additional reward.

In spite of this, targeted, advanced attacks can still penetrate the costly fences and defenses large manufacturers put in place to keep their data and their customers’ data safe. In addition, all these layers mean more false positives to sort through and more time and resources required for updating and monitoring. More frequent patching helps, but often results in unacceptable system downtime and still doesn’t address zero-day attacks, i.e. attacks that exploit previously unknown vulnerabilities and therefore no patch is available. Clearly, “more layers of protection” doesn’t necessarily mean “better protection.”

Conversely, such spend is beyond the reach of the smaller vendors. The majority of small businesses, subcontractors and suppliers lack the resources to implement a multifaceted approach, and the costs – time, manpower, budget – are too high. Most will do the minimum required by regulation, for compliance, or if a manufacturer demands it – until they get hit. Just ask MNH Platinum, a fleet management service provider, who recently dealt with the repercussions caused by ransomware. Nearly 90 percent of small businesses operate without professional IT managers on staff. Without such support, the effort of patching vulnerabilities is daunting. As a result, small businesses, subcontractors and suppliers often leave themselves – and others in their supply chain – exposed, presenting an attractive target for modern attacks.

The road to recovery after a cyber attack is long and costly. In addition to the potential loss of business and reputation, an attack can lead to devastating financial losses for both employees and customers, plus the long and arduous task of recovering data. The reduction in productivity as a result of an attack typically hits small companies particularly hard. There is a steeply increasing relationship between the time to contain an attack and organizational cost. Knowing that the highest costs of a cyberattack are incurred post-breach, small manufacturers and suppliers need to switch their focus to prevention of a breach from ever occurring versus reacting to a breach once it has happened.

Morphisec 71316

Figure 1 As targeted cyberattacks progress, costs skyrocket.

Early prevention – terminating the kill chain very early, before malware is loaded or executed – provides the largest overall benefit.

One promising way for small businesses and manufacturers to better protect themselves against cyberattacks is to strengthen their prevention stack by adding Moving Target Defense (MTD) technology to their existing Antivirus. Antivirus solutions are effective against common known attacks and viruses. MTD handles the unknown and unpredictable. MTD uses counter-deception techniques to constantly change the target surface, concealing vulnerabilities in applications and web browsers and trapping attempts at access. Targets and vulnerabilities are impossible to locate, identify or penetrate by attackers – they never gain a foothold. This new approach, using an MTD-augmented security stack, could well be the most cost effective method to protect small businesses, small manufacturers, suppliers and supply chain partners from the damage of cyber attacks.

Omri Dotan is Chief Business Officer with Morphisec

Current Issue

Check out our latest Edition!


Contact Us

Supply Chain World Magazine
150 N. Michigan Ave., Suite 900
Chicago, IL 60601


Click here for a full list of contacts.

Latest Edition

Spread The Love

Back To Top