Sapsiwai - Fotolia

Enterprises are upping security demands on SME suppliers

More and more enterprise-level organisations are assessing cyber security during supplier contract negotiations, a survey shows

Half of the small to medium-sized enterprises (SMEs) polled in a survey by security e-learning firm CybSafe have had cyber security conditions included in contracts with enterprise customers in the past five years.

And one-third of the 250 IT decision-makers polled at UK SMEs said they have had their cyber security measures questioned as part of winning contracts in the past year.

Also, 44% said they have been required to have a recognised cyber security standard, such as ISO 27001, by their enterprise customers in the past five years and 28% in the past year alone, demonstrating a clear trend in enterprise approach to supplier information security.

This is in sharp contrast to five years ago, when only 5% of respondents said they had been asked to have a recognised cyber security standard in place.

The threat of sanctions by the Information Commissioner’s Office (ICO), the looming deadline for compliance with the EU General Data Protection Regulation (GDPR), and fear of reputational damage from a data breach mean that enterprises are increasingly looking at the security of their entire IT estate, including third-party suppliers. 

Despite this shift, the survey revealed that one in seven SMEs selling to enterprise had no cyber security protocols in place at all. This further highlights cyber security vulnerabilities in the supply chain as cyber criminals increasingly target suppliers because of the perceived lack of stringent information security protocols in SMEs, the survey report said.

“The CybSafe supplier cyber security study shows the extent to which enterprise focus on securing the supply chain has increased in recent years, in the light of increased sanctions for data loss and high-profile data breaches,” said Oz Alashe, CEO and founder of CybSafe.

Read more about supply chain security

“This represents a unique opportunity for enterprise to effect cyber security change on a much greater scale. By insisting on a greater focus on cyber security from their SME suppliers, these businesses can play an influential role in reducing overall cyber risk and increasing mass awareness of cyber security throughout the business community, from supplier to enterprise.

“This can only be a positive impact on the progression of cyber risk awareness in society as a whole. The more that enterprise sees cyber security as a value-add, the more SMEs will change online practices to become that trusted supplier.”

The annual CybSafe supplier cyber security study aims to track trends in enterprise approach to cyber security among suppliers, providing a definitive check-up on the state of supply chain information security.

Other findings from the study include:

  • Just over two in five (43%) organisations have cyber insurance to protect against data breaches.
  • Less than half of organisations had begun taking data protection steps ahead of GDPR implementation.
  • More than two in five respondents would inform all customers immediately following a data breach.
  • Just over half have been asked about employee cyber security training by enterprise customers.

“High-profile data breaches such as Target, where hackers gained access to the retailer through its air-conditioning supplier, have brought supply chain cyber security to the forefront and this has clearly struck a chord with enterprise leaders,” said Alashe.

“Organisations are realising that it is no longer enough to ensure their own network is secure – they must now also pay closer attention to securing the supply chain. This is a trend we will see increase in the coming years.

“No business is an island, and so large organisations will only work with trusted suppliers in the future. The SMEs that adapt their information security practices to the new landscape and demonstrate their cyber credentials will be the most successful in the future.”

Read more on Hackers and cybercrime prevention