Small firms 'not the weakest cyber link' in supply chains

23 July 2019

The widespread belief that large businesses fear lax cyber security at small SME suppliers provides a potential backdoor for hackers is not accurate, according to a report.

The report, Securing the Partner Ecosystem by non-profit (ISC)², surveyed 709 North American companies, split equally between businesses with 250 or fewer employees and larger firms.

The research was prompted by the widespread belief that small businesses are easy targets in terms of supply chain security because they have fewer resources than larger businesses to prevent cyber crime.

The report acknowledged that attacks on SMEs have been consistently rising year-on-year. “Conventional wisdom has long held that small businesses have less sophisticated cybersecurity defenses, small budgets and fewer skilled resources, providing an easy entry point for hackers into large enterprises,” said the report.

But it added: “50% of large enterprises view third-party partners of any size as a cyber security risk, but only 14% have experienced a breach as the result of a small business partner, while 17% have been breached as the result of working with a larger partner.

“These findings contradict the widely-held belief that small businesses serve as the easiest conduit for cyber attacks on large enterprises.”

The research found that larger enterprises expressed very high confidence in the cyber security practices of their smaller partners and that SMEs were usually at least as adequately staffed as their larger counterparts.

This meant they were no more likely to suffer a supply chain security breach than a larger partner.

According to research by the Ponemon Institute supply chain security is currently the second-highest concern among IT professionals in 2019. And indeed there have been numerous examples of compromised smaller suppliers leading to breaches of cyber security at larger firms.

However only 32% of the large companies surveyed reported a partner causing a third party breach. When these breaches occurred they were the fault of the larger organisation 54% of the time, and the smaller one 46% of the time.

More than a third (37%) of large business respondents were “very confident” and 57% were at least “confident” in the cyber security capabilities of their SME vendors and partners.

More than nine in 10 (94%) larger enterprises felt their smaller counterparts were at least adequately defending the supply chain.

This is partly because between 95% and 96% of larger companies had adopted contractual provisions regarding supply chain security for their partners, and had a vetting process in place aimed at reducing risk.

Two thirds (69%) of these companies also expected a small business partner to take full responsibility for a data breach in which they were at fault.

Three quarters (73%) of the small businesses surveyed said they would accept that responsibility if they were found to be at fault.

 Want to stay up to date with the news? Sign up to our daily bulletin.

CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates