In another ill-fated practice, small businesses neglect to enforce strong access credentials. "Small companies frequently use weak passwords," says Rosen. It is common for third-party vendors and contractors to use weak passwords when logging into large enterprise networks; these include networks for stores like Target or Home Depot. Often the small company employee is using the same password they use everywhere, whether for their personal Facebook account, Gmail account, or financial account.
That's why hackers who confirm a username and password for any account on the Internet will try that same combination of credentials on other sites they attempt to hack into, and why re-using credentials is a very bad idea. Logon credentials are only as good as password policy and policy enforcement. If the small enterprise can't enforce the use of long, complex, unique passwords, then they and their larger customers should expect to be infected.
Small business behaviors that invite trouble from attackers are as numerous as they are infamous. Small enterprise security policies that don't quell missteps such as employee downloads of unauthorized software, rogue Wi-Fi installations, and password sharing will actually promote such behaviors. If big business is going to suffer under these ties, they have to find a way to manage those relationships and their threat-laden baggage.
Mitigating the small company as security hole
To mitigate the security vulnerabilities that small companies bring to the table, the big enterprise has to move from a trust but verify model to a least privilege, zero trust model when working with these organizations. Permit the least access and permissions necessary to do the work required. Consider anything outside or inside the network as untrusted. Standard best practices when using least privilege, zero trust include network segmentation and enforcing up to date patch management, says Rosen.
Implement Privileged Identity Management (PIM) so that even if credentials are stolen it's very hard for the hackers to move laterally in the network. Privileged identity management makes it very hard to compromise another account. And those credentials are always rotated. "Even if they grab the credential, it's not useful for very long," says Rosen.
Big business should ensure that small businesses come into the enterprise with two-factor authentication. "The old expense of $75- to $100-per user for two-factor authentication no longer applies. Enterprises can now implement two-factor authentication at reasonable rates," says Rosen.
Large enterprises should use multiple intelligent, polymorphic next-generation threat detection technologies such as (but hardly limited to) behavior-based IDS/IPS and cloud-based web security scanning. These will help them to enforce the zero trust model and to find breaches that are coming in and that have already come in from the perimeter, whether from small concerns or otherwise. "The breaches are going to come in," says Rosen. It's a matter of mitigation, not elimination.
Sign up for Computerworld eNewsletters.