UK SMEs with weak security risk procurement exclusion – survey
Suppliers who get hacked will get sacked. Fact
SMEs need to take cyber security seriously or face being frozen out of the procurement process, according to a new survey from management consultants KPMG.
In a poll of UK procurement managers, nearly all (94 per cent) agreed that the cyber security standards of their supplier are important when awarding a contract to an SME. Yet nearly 70 per cent of the 175 respondents say SMEs could do more to protect their valuable client data.
The vast majority (86 per cent) of the UK procurement managers at large organisations across several sectors that took part in the survey said they would consider removing an SME supplier if they suffered a data breach.
Two-thirds of procurement managers ask their suppliers to demonstrate cyber accreditations, such as the UK Government’s Cyber Essentials or the credit card industry’s PCI DDS scheme. SMEs are increasingly being asked to self-fund their own accreditations.
“Cyber security is not just a technical issue anymore," said George Quigley, Partner in KPMG’s cyber security practice, "it has become a business critical issue for the UK’s SMEs. Larger companies are placing an increased emphasis on the cyber security of their suppliers and increasingly the onus is on SMEs to show that they are tackling this issue head on."
“Unfortunately, many SME still take a blasé approach towards cyber security and mistakenly don’t see themselves as targets of cyber criminals," he added. "Unless these organisations take a more mature approach towards cyber security now, they face the risk of being frozen out of lucrative supplier contracts."
In order for businesses to be awarded some public sector contracts they already have to demonstrate a certain level of cyber maturity and this is increasingly becoming the norm in the private sector as well, according to KPMG.
Companies are also embedding cyber security in their supplier contracts, with about half (47 per cent) of existing contracts already stating that suppliers are contractually obliged to tell if they have been hacked.
“This means that if a SME supplier is breached and doesn’t deal with it appropriately, they could be looking at the termination of an existing supplier contract,” Quigley added.
UK corporations have good business reasons to be concerned about the security practices of their suppliers. A string of high profile breaches in the US last year, including the high profile Target and Home Depot hacks, were subsequently traced back to lax security controls at third-party providers.
In the case of Target, a breach at its heating and air conditioning subcontractor was blamed for the subsequent hack of the retail chain. Hackers tricked workers at a Pennsylvania air conditioning firm to open a malware-laced email attachment, the first stage in a multi-stage hack that ultimately allowed crooks to plants malware on point-of-sale terminals at Target.
The similar Home Depot hack – which exposed 56 million customer credit and debit card accounts – was facilitated by credentials stolen from an unnamed third-party vendor. ®