Cybersecurity investments are soaring: Venture capitalists placed a record level of funding toward cybersecurity startups last year, Strategic Cyber Ventures said in a January report. Earlier this month, analysts at Cybersecurity Ventures predicted global spend on cybersecurity solutions to top and exceed $1 trillion by 2021.
Corporate investments in cybersecurity continue to surge because threats continue to grow. Yet, for an organization that has invested heavily in protecting its own systems and data, cyber risks never fully fade — especially when many of the biggest risks are coming from an organization’s network of business partners within the supply chain.
Last year, researchers at Opus found that 59 percent of surveyed organizations in the U.S. and U.K. have experienced a data breach as a result of their B2B vendors or third-party partners. Often, though, it’s the small and medium-sized business (SMB) partners and vendors blamed for opening the data door to hackers and cybercriminals. The latest report from ISC2 found that this blame tends to be misplaced with SMBs — and worse, large organizations that are notified of a cyberattack or data compromise often won’t act on that news.
Last week, reports in Channel Futures said a survey of 700 small businesses and large enterprises by ISC2 found that awareness of third-party cyber risk is on the rise, with half of surveyed companies agreeing that a third party of any size can pose a threat.
“Conventional wisdom has long held that small businesses have less sophisticated cybersecurity defenses, small budgets and fewer skilled resources, providing an easy entry point for hackers into large enterprise,” the ISC2 report stated.
Despite that widespread belief, the survey found that a greater percent of companies experienced a data breach as a result of working with a larger partner — 17 percent, compared to the 14 percent that pointed to a small business partner as the source of a cyber vulnerability.
In addition to some misplaced blame, large enterprises that are warned that they may be giving too much data access to third parties often don’t act on that information. Nearly 40 percent of SMBs surveyed said were surprised by how much access they were granted to a large enterprise partner’s systems, and more than one-third of large businesses said they did not change internal policies when notified that data access policies may be insecure or subpar.
Frighteningly, most small businesses said they were able to retain access to a large corporate partner’s data even after they had completed work with that firm.
“Shedding light on the kinds of poor cybersecurity habits that lead to breaches can position [a managed security service provider (MSSP)] as an educated authority on data security,” said ISC2 Chief Operations Officer Wesley Simpson in an interview with Channel Futures.
“Our research indicates that there are lax practices that could negatively affect organizations on both sides of the partnership equation, and this represents a warning to, and an opportunity for, MSSPs,” he added. “Close adherence to access management policies is critical to make sure that only those who should have access to data do, especially when a working relationship or contract ends. When security vulnerabilities are reported, an immediate mitigation process should be launched to ensure data integrity.”