Many seasoned practitioners occupying procurement and supply chain jobs in large firms fear cybersecurity weaknesses among their smaller suppliers, but a new US study suggests that many of those worries are unfounded.

A new study from the non-profit cybersecurity group, The International Information System Security Certification Consortium (ISC)2, polled 709 North American firms, divided equally between companies with 250 or fewer employees and bigger businesses. (ISC)2was prompted to conduct the research by widespread beliefs among professionals in larger organisations, from permanent practitioners to supply chain and procurement interims, that smaller firms are more vulnerable to cybercrime because they lack the resources of bigger companies to install robust cybersecurity systems.

While cyber-attacks on these smaller suppliers have risen year-on-year, as acknowledged in the report, the danger is not as pervasive as larger companies assume. The study notes: “50% of large enterprises view third-party partners of any size as a cybersecurity risk, but only 14% have experienced a breach as the result of a small business partner, while 17% have been breached as the result of working with a larger partner. These findings contradict the widely-held belief that small businesses serve as the easiest conduit for cyberattacks on large enterprises.”

Despite the extent of the ‘cyber-vulnerability’ belief, the study found that larger companies expressed exceptionally high confidence in the cybersecurity efforts of their smaller suppliers, most of which were at least as adequately staffed to meet security challenges as their bigger counterparts, and no more likely to experience a cyber-breach than a larger partner. The report follows a recent study from the Ponemon Institute, which found that in 2019, supply chain security had become the second-highest priority among IT professionals. Even so, only 32% of the large firms polled reported supply chain security breaches, which were, in fact, the fault of the larger partners 54% of the time.

Source:  https://www.cips.org/en/supply-management/news/2019/july/small-firms-not-the-weakest-cyber-link-in-supply-chains/