SME Suppliers Falling Short of Security Expectations – Report
Nearly 70% of procurement managers in large organizations believe SME suppliers could do more to protect sensitive client data, according to new research from KPMG.
The global consulting firm polled 175 UK procurement chiefs across several sectors and found reassuringly that standards are high when it comes to vetting suppliers.
A large majority (86%) said they would consider removing a firm if it suffered a data breach and nearly half (47%) claimed suppliers are contractually obliged to report such an incident.
Nearly all respondents (94%) agreed with the statement that standards were important when awarding a contract, with around two-thirds requiring their suppliers to demonstrate certification by Cyber Essentials, ISO, PCI DSS or another respected accreditation body.
If there is no accreditation to speak of, 41% of respondents claimed they would expect the supplier to foot the bill in the near future.
George Quigley, a partner in KPMG’s Cyber Security practice, argued that SMEs can find it difficult to understand the nature of the threat landscape and how they could be exposed to risk.
There are also challenges around “defining and identifying” which data is critical and therefore needs protecting.
“Finally budgets tend to be allocated to IT, rather than to cybersecurity more specifically, which generally means that only a fraction of the funds is invested in cybersecurity,” he told Infosecurity.
However, things are changing, Quigley argued.
“SME business partners are starting to look at certifications in order to gain some comfort that the potential SME supplier is dealing with security in an appropriate manner. All signs indicate that this trend is likely to continue,” he revealed.
“Cyber Essentials and ISO 27001 are perhaps the two most common certifications that are being requested. Overall, SMEs need to be able to articulate to their partners the threats that they face, the risks that they believe they are exposed to and the mitigants that they have in place to minimize that risk.”
Source: Information Security Magazine