Small Businesses: You are not the weakest link

small-businesses-not-weakest-security-link.jpg

Contrary to popular belief, small businesses are not the weakest link when it comes to data security, according to a recent study by security association, (ISC)2, formally known as The International Information Systems Security Certification Consortium.

The study entitled Securing the Partner Ecosystem, asks the question, “Are Small Businesses the Largest Risk to Supply Chain Cybersecurity?”

The long held view that small businesses are the preferred entry point for attacks on large enterprises, due to less sophisticated data security systems, is contradicted in the (ISC)2 report, after the study revealed that 94% of respondents were “confident” or “very confident” in their small business partners’ cyber security practices.

Wesley Simpson, chief operating officer at (ISC)2, said:

It’s a good reminder that in any partner ecosystem, the responsibility for protecting systems and data needs to be a collaborative effort, and multiple fail safes should be deployed to maintain a vigilant and secure environment,

The aim of the study was to understand the level of threat to large enterprises by third-party providers. Among the 709 respondents, half were from small businesses with less than 250 employees.; The other half were from large companies with 1,000+ employees. The study findings revealed that large enterprises as a whole are conflicted about the risk small businesses actually pose.

Approximately 64 percent of large organizations outsource at least 25 percent of their “non-core” business operations. This often requires them to provide third-parties access to their information systems. Typical applications that depend on access to data include IT services, accounts, R&D, and various administrative tasks.

The study also shows that 35% of large enterprise respondents admitted that when alerted by a third party to insecure data access policies, nothing changes in the large enterprise’s practices, while 55% of small business respondents reported that they still had access to a client’s network or data after completing a project or contract, according to a news article by Computer Weekly.

More than half (54%) of small business respondents have been surprised by some of their large enterprise clients’ inadequate security practices, and 53% have provided notification of security vulnerabilities they have discovered in large enterprise networks.

The report found that while small businesses have fewer employees overall, the proportion of their cyber security staff is not necessarily lower than in large enterprises. Nearly half (42%) of small businesses, with 250 or fewer workers, employ at least five dedicated cyber security staff.

By comparison, 75% of large enterprises, with more than 1,000 employees, have at least 10 staff members focused on cyber security. This means that some small businesses have a higher percentage of security professionals working to implement best practices and defend data and networks.

The study found that, while they may have differing tool sets, small businesses and large enterprises approach data protection similarly by focusing on many of the same cyber security best practices.

Sources and further reading: Computer Weekly, (ISC)2 full report

Did you find this content valuable and interesting? If so, why not sign-up for our Premium Insights. For less than the cost of a cup of coffee each week, you can get access to our Premium Insights news feed.

Peter BornerComment