The supply chain conundrum: Why large businesses fear data breaches from SME suppliers


In recent years, large companies are finding that the weak link in their cyber security strategy is not in fact, their own cyber security defences. Increasingly, the chink in a company’s armour comes from the smaller companies they do business with. 

In May, UK retailer Debenhams were affected after the supplier of their online florist business suffered a breach, exposing the personal data of 26,000 customers. In July, information on 18,000 customers was exposed by Anthem Inc., the United States’ largest healthcare contractor. In August, the NHS’ 1.2 million patient-name database was hacked through a third party booking system. 

All these breaches are representative of a new problem that could plague businesses for some time to come: data loss and compromise via third parties. 

While most companies are still grappling with securing their own networks, data, and users, preventing against attacks that target business partners adds a new layer of complexity to the equation. 

Outsourcing business, outsourcing risk 

Attacks against third parties are on the rise. According to Verizon’s Data Breach Investigations Report, “in 70% of the attacks where we know the motive for the attack, there’s a secondary victim.” 

Large organisations are realising that it’s no longer enough to ensure their own network is secure, and that they must now also pay attention to securing the supply chain. 

High profile data breaches against the likes of the bank UniCredit, compromising data on 400,000 customers, or against communications firm TalkTalk, fined £100,000 for a third party’s misuse of data, have been a wake-up call for many large corporations. 

Like TalkTalk and UniCredit, enterprises often rely on a vast network of suppliers and partners, many of which are SMEs. These can be easier targets for attackers when the target enterprise itself has already implemented a security program in-house. 

Smaller suppliers can provide attackers with a rich source of information. Contact information can be extracted and used in a spear-phishing attack to bank account details; even email accounts (personal or group accounts) could represent a rich source of information, giving insight into a business’ dealings with the supplier. 

Once an attack has been successful against an SME supplier, attackers can then leverage their access as an entry vector into the larger network. 

Cyber security – the new negotiation point 

Business contracts are changing to respond to the new cyber security threat. 

According to a recent survey by CybSafe of SMEs selling to enterprise, 1 in 3 businesses have had their security protocols questioned as part of winning contracts in the last year. 50 percent had cyber security conditions included in new contracts with enterprise customers, while 44 percent of respondents had been required to have a recognised cyber security standard, such as ISO 27001. 

With the threat of the Information Commissioner’s Office (ICO) sanctions, as well as the looming General Data Protection Regulation (GDPR) which could set enormous fines for data breaches – fines of up to 20 million Euros or 4% of group worldwide turnover, whichever is greater – it seems that enterprise organisations are finally looking at the security of their entire IT estate, including third party suppliers. 

The state of SME cyber security 

Large businesses have good reason to be cautious: CybSafe’s Supplier Security Study suggests that many SMEs are taking a lax approach to cyber security. 

From those polled, 1 in 7 had no cyber security controls in place whatsoever. Given that there are approximately 5.5 million SMEs in the UK, it’s possible that there are around 790,000 SMEs in the UK without any cyber security protocols in place. This is an alarming fact for enterprise IT leaders. 

SMEs proved equally lax in CybSafe’s survey on the subject of regulatory changes. While large corporations are already gearing up for impending changes to the law, less than half of SMEs surveyed had begun taking data protection steps ahead of GDPR implementation. 

Large organisations are looking to work with trusted vendors in the future– SMEs who have a serious and robust cyber security strategy and SMEs which are taking measures to abide by GDPR’s regulations. Ultimately, SMEs are going to have to adapt. 

SMEs and cyber security training 

One of the most impactful ways that SMEs can adapt is through the introduction of cyber security training. 

Indeed, cyber security training is already regarded by many large companies as a deciding factor on whether to pursue a contract with a smaller supplier. According to CybSafe’s survey, 54 percent of the SMEs had been asked about employee cyber security training by enterprise customers. 

Accidental breaches caused by employee error or data breached while controlled by third party suppliers continue to be a major problem, accounting for 30 percent of breaches overall. Large companies are rightfully wary of this. 

Unfortunately, this is often the breaking point for many potential contracts with large businesses. 

Small and medium-sized companies mistakenly treat cyber security primarily as an IT responsibility, rather than considering it alongside the general operations of the business. Companies often presume that technological attacks must necessarily be countered by a technological defence, but as shown by CybSafe’s survey, enterprise customers are looking to work with companies with all-round cyber defences; companies that have both technological and human strategies in place. 

Responding to the threat 

As small businesses that make up the supply chain become aware of the seismic shock and potential reputational damage that can be caused by a breach, it will no longer be enough for large companies to secure their own systems. Enterprise is now compelled to ensure that suppliers have equally stringent data security in place. 

Data security is now a key component of the due diligence process before organisations begin dealing with suppliers. Before signing contracts, SMEs are increasingly required to demonstrate their commitment to technological security and cyber security training. 

The old adage still rings true – ‘hackers will always seek the route of least resistance’-  and so securing the supply chain will be the biggest challenge for businesses in the coming years. 

To remain attractive to big business clients, SMEs are going to have to adapt accordingly. 

Oz Alashe MBE, CEO and Founder of CybSafe 

Image Credit: Balefire / Shutterstock