An emerging area of cyber liability for small businesses centers around the concept of third party risk. Third party risk means damages resulting from the security breach of a connected party - normally vendors or customers. Small businesses can face third party cyber risk on a number of fronts. They can face liability from a breach of their own systems infecting a vendor; they can also face damages caused when the breach of a vendor causes a breach of their own systems. Franchisee relationships have also caused increasing concerns of cyber risk.
How Cyber Criminals "Island Hop"
Third party risk has become a major topic because of the increasing use of island hopping techniques by cyber criminals. The name island hopping stems from the US strategy during the Pacific Front in World War II of taking small islands to help build towards attacks of larger islands. In the world of cyber security, it involves cyber criminals breaching smaller companies with less secure infrastructure and using that breach to gain access to a much larger company. Privilege escalation - using one set of hacked credentials to allow hacking of credentials with greater system privileges - is a common technique for these hackers.
You're Probably Familiar With Such An Attack
Some of the largest and most well-known cyber breaches occurred because of island hopping. The famous breach of Target’s systems happened through the breach of a heating and refrigeration vendor for Target. From that breach, the criminals managed to use the vendor’s remote access to Target’s network to breach Target. Experts have estimated that Target’s losses from the breach will exceed $250 million.
As companies become increasingly aware of how third party risk affects their exposure to cyber liability, they have started to take pro-active solutions towards limiting or transferring that risk in many ways.
- Companies have become increasingly less likely to grant vendors or customers access to their data networks unless necessary.
- They have also started including language in their contractual agreements requiring that those with whom they do business maintain a minimum standard for their cyber-security practices.
- Some companies have even begun including indemnification language stating that any third party responsible for a breach of their systems will bear the cost of that breach.
Smaller Businesses Are Often Left Struggling To Keep Up
These requirements can place a higher burden on smaller businesses than larger ones as smaller businesses have fewer resources to dedicate to issues like cyber security. At the same time, the lack of resources dedicated to cyber security makes those smaller businesses perfect targets for these kinds of attacks. Small businesses have to find creative and cost effective ways of managing their cyber risks or they will face themselves at a competitive disadvantage going forward.
All Businesses Have The Same Burden Of Responsibility
Cyber liability insurance can play some part in helping smaller businesses manage these risks. Strengthening the “human firewall” through methods like employee training will also help limit the possibility of breach. Small firms can also examine their contracts with IT providers of all stripes to address issues of liability in the event of breach. Awareness of a problem is a vital step in addressing that problem, but it is only ever a first step.