Across the board, small businesses are generally going to have less in the way of resources than enterprise-level companies. This creates the perception that they are the easiest targets in terms of supply chain security; it certainly seems to have with criminals, with attacks on SMEs consistently rising year-over-year to a nearly even footing with their larger counterparts.
Given all of this, it’s natural to infer that the smallest businesses in a supply chain will be the weakest and most vulnerable targets. A new study from nonprofit security organization (ISC)² demonstrates that this common supply chain security assumption may not be supported by data.
(ISC)²’s 2019 “Securing the Partner Ecosystem” report explores this assumption by surveying 709 companies, split down the middle between small businesses with 250 or fewer employees and larger enterprise organizations with over 1,000 employees. Not only do the larger enterprises express very high confidence in the cybersecurity practices of their smaller partners, the data indicates that the smaller businesses are usually at least as adequately staffed as their larger counterparts and are no more likely to suffer a supply chain security breach than a larger partner.
State of supply chain security at small businesses
Supply chain attacks and vendor compromise are a hot-button issue for large organizations that rely on the daily support of numerous partners. Many of the biggest data breaches in recent years – the Equifax incident of 2017, for example, or this year’s breach of the U.S. Customs and Border Protection agency – are the result of vendor compromise creating an initial point of entry. Supply chain security is currently the second-highest concern of IT professionals in 2019 according to related research by the Ponemon Institute.
While these incidents have made a big splash in the news as of late, the (ISC)² study indicates that they are not as common as one might believe. Only 32% of the large companies surveyed reported a partner causing a third party breach. Additionally, when these breaches do occur, it is more likely to be the fault of a large enterprise partner (54%) than a small one (46%).
Large enterprises also report almost universal confidence in their smaller partners. 37% of respondents were “very confident” and 57% were at least “confident” in the cybersecurity capabilities of their SME vendors and partners, for a total of 94% of larger enterprises that feel that their smaller counterparts are at least adequately defending the supply chain.
What’s at the back of all this confidence? A big part of it seems to be that larger enterprises have almost all (95 to 96%) adopted contractual provisions regarding supply chain security for their partners, and have a vetting process in place aimed at reducing risk. 69% of these companies also expect a small business partner to take full responsibility for a data breach that they are at fault for, and 73% of the small businesses surveyed said they would accept that responsibility if they were found to be at fault.
Large enterprises also appear to be highly confident in their own resiliency in the event of a third party data breach. 54% were “confident” and 44% were “very confident” that they would be able to secure their data even if a partner should be breached. This response can be interpreted one of two very different ways, however. It might indicate that companies are strongly trending toward locking down all sensitive data and ensuring it is only shared on an as-needed basis with partners and in a fully secure way. It might also indicate that these companies are simply overconfident in their infrastructure security, as 34% reported being surprised by the amount of data that vendors and partners ultimately had access to. From the other end, the small businesses report that 55% of the time they still have access to sensitive data even after a partnership or project has been terminated. Additionally, 54% of the small businesses reported being surprised at how much client data they were able to access once connected to the partner network.
Interestingly, the study revealed that both large and small businesses are about equally likely to have an appropriate scale of supply chain security procedures and staff in place. Small businesses are actually slightly more likely to engage in most cybersecurity best practices, such as running regular automated anti-malware and antivirus scans and having updated email phishing filters. The only area where small businesses lag behind is in evaluating and reporting security incidents after they happen. This is likely a simple staffing issue, as 75% of large businesses reported having at least 10 staff members dedicated to cybersecurity while only 48% of the smaller businesses had at least five.
Size does not matter
The (ISC)²’s ultimate conclusion from all of this data is that small businesses and large enterprises are about on equal footing in terms of likeliness of becoming a breach point of entry, and that small businesses may be unfairly evaluated in terms of supply chain security liability.
(ISC)²’s suggestions for improving cybersecurity culture at all types of organizations include making sure the executive ranks understand the importance of cybersecurity policy, drafting clear job descriptions when hiring cybersecurity staff, and focusing on training and promoting from within the organization.
Larger partners can actually be at a disadvantage in terms of supply chain security, simply given the greater amount of employees to train and oversee. Intractable security culture also appears to be an ongoing problem at enterprise-level companies, with 35% in this category responding that when they are notified by a smaller partner of a data breach they do not make any changes to their security practices.
(ISC)²’s COO Wesley Simpson closed the study by noting that development of and close adherence to access management policies are key for both small businesses and large, as well as having a developed mitigation process in place to rapidly secure the network and data as soon as a breach is reported.