One of the ways hackers penetrate a large corporation is by first breaching the weakest link in the supply chain of an organization. In many cases, these are small businesses. But it is wrongly assumed they are the weakest link.
Supply Chain Cybersecurity Statistics
A new study from (ISC)² reveals large partners are actually to blame more than their smaller counterparts. According to the report, 54% of enterprises said the third-party breach was caused by large partners. This is compared to 46% of small partners or businesses.
Additionally, 14% say they experience a breach as a result of a small business partner. However, it goes up to 17% with large partners.
The difference is not dramatic, but it lays to rest the misconception small businesses are more responsible for breaches in the supply chain. As long as the business has a strong security protocol in place, the size is irrelevant.
In the release for the report, (ISC)² COO Wesley Simpson addressed this very point. Simpson says the key is to build a strong cybersecurity culture with the right best practices to maximize security effectiveness. If everyone does this, the entire supply chain is more secure.
Simpson adds, “It’s a good reminder that in any partner ecosystem, the responsibility for protecting systems and data needs to be a collaborative effort, and multiple fail safes should be deployed to maintain a vigilant and secure environment. The blame game is a poor deterrent to cyberattacks.”
The Issue of Supply Chain Partners and Digital Security
The most famous (or infamous) security breach associated with a partner is the Target data breach in 2013. In that case, 70+ million pieces of data were compromised after the network credentials from an HVAC contractor was stolen.
When the case settled in 2017, it was revealed 41 million customer payment card accounts were affected. And Target had to pay $18.5 million to 47 states and the District of Columbia.
Small businesses are more aware of cyber security because of this specific case. And as the (ISC)² report points out they are doing much better today.
More Supply Chain Cybersecurity Statistics
The key takeaway from the survey is the conflict large enterprises are experiencing regarding the risk small businesses really pose. This is because the data, according to this study at least, proves small businesses are more secure.
The report also points out fewer than 32% of the data breach large enterprises suffer comes from a third party. So, more than two thirds or 68% of breaches are coming from other forms of attack.
Nevertheless, 32% is a very high number. This is because 64% of large enterprises outsource more than a quarter (26%) of their daily business tasks. With so much data in the hands of third-party businesses, the threat and concern are clearly obvious.
Almost all enterprises or 96% have contract provisions specifying how third parties access, store and transmit their data. And 95% also say they have a standard process for vetting small business suppliers’ cybersecurity capabilities before providing access.
As far as responsibility, 69% of enterprises will hold a third party fully accountable for a data leak or breach by mishandling their data. And 73% of small businesses say they will feel liable if a client experiences a breach. Even if their action is indirectly responsible for the security incident.
At the end of the day, an almost equal number of enterprise respondents feel they are to blame (48%) as much as the partner (52%).
Recommendations from (ISC)²
For three decades (ISC)² has been providing a safe and secure cyber world. The organization is an international nonprofit membership association. More than 140,000 certified cyber, information, software and infrastructure security professionals are members. And their goal is to make a difference and help to advance the industry.
These are the recommendations from (ISC)²:
The supply chain cybersecurity report comes from an online survey conducted by (ISC)² and Market Cube in November 2018. A total of 709 IT, ICT, and cybersecurity decision-makers took part in the survey. This includes 354 small businesses with 250 or fewer employees and 355 from large enterprises with at least 1,000 employees. All the companies are based in North America.
More in: Cybersecurity