Blog

Small Businesses Not the Weakest Link in the Supply Chain, Study Shows

Jun 20, 2019

SmallBusinessPartnerEcosystem-Spread A new (ISC)2 study suggests that small businesses may get too much attribution for causing security breaches for their large enterprise clients. While it’s true that enterprises have suffered breaches caused by third parties, they are more likely a result of actions by a large partner, not a small business.

The Securing the Partner Ecosystem study, which polled respondents both at large enterprises and small businesses, revealed about one third of enterprises (32%) have experienced a breach caused by a third party, but in these cases, large partners are more likely to blame (54%) than small business partners (46%). Only 19% of small business respondents overall say they’ve caused a data breach for an enterprise client or partner.

As a rule, enterprises aren’t concerned about the security practices of small business partners, considering 57% said they are confident and 37% very confident in their cybersecurity measures. And while enterprises have no qualms about holding others responsible for security incidents, almost half (48%) would consider themselves “ultimately at fault” for an incident caused by a third party.

For their part, small businesses hold themselves accountable for breaches at large partners – 73% say they would feel liable if a client was breached. That is the case even if their actions were an indirect cause of the incident.

High Confidence

Enterprises have high confidence in their own cybersecurity posture as well as the security practices of partners. Nearly all enterprises in the study (96%) have contract provisions specifying data access, storage and transmission by third parties.

Almost as many (95%) have standard vetting procedures for small business suppliers’ cybersecurity capabilities before allowing them to access systems. Methods employed to evaluate a partner’s security posture include reviews by a security team or provider (85%), on-site inspections (52%) and RFQs (34%).

A full 98% of enterprises are confident (54%) or very confident (44%) in their ability to protect their own data even if a third-party supplier is breached. However, their confidence may not be entirely justifiable.

For one thing, enterprises don’t always have a handle on how much access third parties have to their systems, with 34% of them saying they have been surprised by a third party’s broad level of access to their network and data. An even higher number of small businesses (39%) were just as surprised by the level of access they were granted.

Also pointing to enterprise overconfidence is a finding about how they react when told by a third party about security vulnerabilities. More than one third (35%) of enterprise respondents said that no action is taken to mitigate these vulnerabilities once notified.

Cybersecurity Staffing

Another surprising revelation in the study has to do with the number of cybersecurity staff employed by enterprises vs. small businesses – 42% of small businesses (with 250 or fewer employees) have at least five cybersecurity staff while 75% of large enterprises (1000 employees or more) employ at least 10 staff members dedicated to cybersecurity. This means that proportionally, many small businesses employ a higher percentage of cybersecurity professionals than enterprises.

While some of this may be explained by the types of tasks cybersecurity teams handle – for instance, there could be more automation at large companies – it also suggests that small businesses aren’t as lax with security as often assumed. It’s even possible the finger-pointing over the years has inspired them to strengthen security efforts.

The research leads to the conclusion that an organization’s size may not be the best indicator of its risk profile. Subscribing to cybersecurity best practices, appropriate staffing levels and maintaining good access management are far more important factors to consider.