How much risk small businesses really pose to supply chain cybersecurity?
50% of large enterprises view third-party partners of any size as a cybersecurity risk, but only 14% have experienced a breach as the result of a small business partner, while 17% have been breached as the result of working with a larger partner, according to ISC2.
The study surveyed more than 700 respondents at both small businesses and large enterprises to learn how data sharing risk is perceived.
These findings contradict the widely-held belief that small businesses serve as the easiest conduit for cyberattacks on large enterprises.
The reality is that large enterprises are nearly unanimously confident (94% of survey respondents indicated that they are “confident” or “very confident”) in their small business partners’ cybersecurity practices, and 95% have a standard process for vetting their suppliers’ cybersecurity capabilities.
“This research highlights the fact that building a strong cybersecurity culture and subscribing to the right best practices can help organizations of any size maximize their security effectiveness,” said ISC2 COO Wesley Simpson.
“It’s a good reminder that in any partner ecosystem, the responsibility for protecting systems and data needs to be a collaborative effort, and multiple fail safes should be deployed to maintain a vigilant and secure environment. The blame game is a poor deterrent to cyberattacks.”
Lax access management controls
Nearly two-thirds (64%) of large enterprises outsource at least one-quarter (26%) of their daily business tasks, which requires them to allow third-party access to their data. These outsourced functions can include anything from research and development, to IT services and accounts payable.
This data access and sharing is necessary as a large enterprise scales its operations, but the ISC2 research indicates that access management and vulnerability mitigation is often overlooked.
- 34% of large enterprises say they have been surprised by the broad level of access a third-party provider has been granted to their network and data
- 39% of small businesses expressed the same surprise about the access they were granted when providing services to large enterprise partners
- Even worse, 35% of large enterprises also admitted that when alerted by a third party to insecure data access policies, nothing changes in the large enterprise’s practices
- More than half (55%) of small business respondents reported that they still had access to a client’s network or data after completing a project or contract
- 54% of small businesses have been surprised by some of their large enterprise clients’ inadequate security practices, and 53% have provided notification of security vulnerabilities they’ve discovered in large enterprise networks to which they have access
Investment in cybersecurity teams
The report also found that while small businesses have fewer employees overall, the proportion of their cybersecurity staff isn’t necessarily lower than in large enterprises. The study shows that nearly half (42%) of small businesses, with 250 or fewer workers, employ at least five dedicated cybersecurity staff.
By comparison, 75% of large enterprises, with over 1,000 employees, have at least 10 staff members focused on cybersecurity. While many large enterprises may have more cybersecurity staff by volume, some small businesses have a higher percentage of security professionals working to implement best practices and defend data and networks.
Similar best practices regardless of size
The Securing the Partner Ecosystem study found that, while they may have differing toolsets, small businesses and large enterprises approach data protection similarly by focusing on many of the same cybersecurity best practices. Both sets of respondents indicated that they employ the identical top-three best practices to protect their networks and data, including:
- Regular automatic scans with antivirus and anti-malware programs
- Blocking access to known malicious IP addresses through firewall configuration
- Strong email filters to prevent phishing