UK SMEs with weak security risk procurement exclusion

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theregister.co.uk/2015/11/03/uk_sme_weak_security_procurement_exclusion/

SMEs need to take cyber security seriously or face being frozen out of the
procurement process, according to a new survey from management consultants
KPMG.

In a poll of UK procurement managers, nearly all (94 per cent) agreed that
the cyber security standards of their supplier are important when awarding
a contract to an SME. Yet nearly 70 per cent of the 175 respondents say
SMEs could do more to protect their valuable client data.

The vast majority (86 per cent) of the UK procurement managers at large
organisations across several sectors that took part in the survey said they
would consider removing an SME supplier if they suffered a data breach.

Two-thirds of procurement managers ask their suppliers to demonstrate cyber
accreditations, such as the UK Government’s Cyber Essentials or the credit
card industry’s PCI DDS scheme. SMEs are increasingly being asked to
self-fund their own accreditations.

“Cyber security is not just a technical issue anymore," said George
Quigley, Partner in KPMG’s cyber security practice, "it has become a
business critical issue for the UK’s SMEs. Larger companies are placing an
increased emphasis on the cyber security of their suppliers and
increasingly the onus is on SMEs to show that they are tackling this issue
head on."

“Unfortunately, many SME still take a blasé approach towards cyber security
and mistakenly don’t see themselves as targets of cyber criminals," he
added. "Unless these organisations take a more mature approach towards
cyber security now, they face the risk of being frozen out of lucrative
supplier contracts."

In order for businesses to be awarded some public sector contracts they
already have to demonstrate a certain level of cyber maturity and this is
increasingly becoming the norm in the private sector as well, according to
KPMG.

Companies are also embedding cyber security in their supplier contracts,
with about half (47 per cent) of existing contracts already stating that
suppliers are contractually obliged to tell if they have been hacked.

“This means that if a SME supplier is breached and doesn’t deal with it
appropriately, they could be looking at the termination of an existing
supplier contract,” Quigley added.

UK corporations have good business reasons to be concerned about the
security practices of their suppliers. A string of high profile breaches in
the US last year, including the high profile Target and Home Depot hacks,
were subsequently traced back to lax security controls at third-party
providers.

In the case of Target, a breach at its heating and air conditioning
subcontractor was blamed for the subsequent hack of the retail chain.
Hackers tricked workers at a Pennsylvania air conditioning firm to open a
malware-laced email attachment, the first stage in a multi-stage hack that
ultimately allowed crooks to plants malware on point-of-sale terminals at
Target.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!