Small and medium-sized businesses account for 4.17 percent of private sector employees and almost half of the United States’ gross domestic product , yet—due to limited finances, resources, and staff—many have difficulties when it comes to supply chain management. Geopolitics, inflation, and worker shortages are just a few variables that can impact supply chains; 86% of SMB supply chains have already been or expect to be impacted by Russia’s war in Ukraine.1 And 32% of small business owners say that supply chain disruptions have had a significant impact on their business.2 How, then, can the 33 million small and medium-sized businesses across the United States compete?3
April is National Supply Chain Integrity Month, an initiative started by CISA and other government agencies to highlight the importance of securing our nation’s most critical systems. Last week, I wrote about best practices for maturing your third-party risk management program. This year’s theme is centered on supply chain resilience, so it’s fitting that CISA’s focus for Week #2 of Supply Chain Integrity Month is on small businesses.
Since the release of the Biden Administration’s new National Cyber Strategy, countless federal officials have talked about the need to shift the cybersecurity burden from consumers and small businesses to larger organizations that have vastly more significant resources and expertise. It’s profoundly unfair to expect that a small business with a handful of employees will have the expertise to defend itself against sophisticated threats in the cyber arena. Too often, however, we see a tendency to blame small businesses and end users of technology for cyber risk rather than focusing on how to enable these groups to do better.
It’s clear that organizations of all sizes and risk profiles face vulnerabilities across the supply chain; they are only as strong as their weakest links. At large organizations, a small partner or third-party vendor represents an attractive attack vector to inflict damage on your corporate infrastructure. Indeed, an attack against a small supplier that integrates with your larger IT infrastructure represents a faster way for adversaries to infiltrate your network than direct attacks against your multi-layered defenses. Some of the biggest organizations in the world have found their supplier ecosystem to be a much larger attack surface than their own massive technology networks.
CISA Director Jen Easterly remarked in a speech to Carnegie Mellon University earlier this year that “every organization should demand transparency regarding the practices and controls adopted by technology providers and then demand adoption of such practices as basic criteria for acceptability before procurement or use.”
Director Easterly discusses that one of the main value propositions we see for SecurityScorecard’s ratings and collaboration platform is driving awareness and transparency. Every organization—no matter its size—is entitled to its own score as a right. The ultimate purpose of security ratings must be to improve cybersecurity and preserve trust around the world.
For SMBs to stay vigilant, they must have the ability to see what a hacker would see, while generating insights about the vulnerabilities, active exploits, and advanced cyber threats they face. Leveraging outside-in scanning can be particularly helpful for small organizations with limited resources and technical capabilities. SecurityScorecard’s ratings measure an entity’s cyber-hygiene across ten risk categories, including: network security, DNS health, endpoint security, and patching cadence.
Call for supply chain transparency to fight cyber risk
Most multinational corporations utilize dozens, if not hundreds or thousands, of IT vendors. Yet companies have little-to-no information about the security of those vendors. With over 50% of cyber incidents occurring through third-party connections, this lack of visibility is driving organizations to demand the type of transparency Director Easterly calls for from suppliers and partners. I encourage larger organizations to partner with their small business vendors to help prioritize and communicate on risks.
As CISA seeks to protect and defend the nation from cyber risk, we applaud the agency for focusing its resources on small and medium-sized businesses. SecurityScorecard is eager to partner with the nation’s small businesses to enhance visibility into cyber risks and communicate the impact that investments in cyber resilience have in improving national supply chain integrity.
We hope to see you back here next week for the third installment in this blog series, where we will take a deep dive into vendor/supplier trustworthiness.
