Top of Page

(ISC)² Research Report Indicates That Small Businesses May Not Be the Weakest Link in the Supply Chain

Study reveals that cybersecurity staffing and best practices are bigger factors than company size in assessing security risk associated with supply chain partners

Clearwater, FL, June 20, 2019 – (ISC)² – the world’s largest nonprofit association of certified cybersecurity professionals – today released the findings from its Securing the Partner Ecosystem study, which surveyed more than 700 respondents at both small businesses and large enterprises to learn how data sharing risk is perceived. The research finds that 50% of large enterprises view third-party partners of any size as a cybersecurity risk, but only 14% have experienced a breach as the result of a small business partner, while 17% have been breached as the result of working with a larger partner.

These findings contradict the widely-held belief that small businesses serve as the easiest conduit for cyberattacks on large enterprises. The reality is that large enterprises are nearly unanimously confident (94% of survey respondents indicated that they are “confident” or “very confident”) in their small business partners’ cybersecurity practices, and 95% have a standard process for vetting their suppliers’ cybersecurity capabilities.

“This research highlights the fact that building a strong cybersecurity culture and subscribing to the right best practices can help organizations of any size maximize their security effectiveness,” said (ISC)² COO Wesley Simpson. “It’s a good reminder that in any partner ecosystem, the responsibility for protecting systems and data needs to be a collaborative effort, and multiple fail safes should be deployed to maintain a vigilant and secure environment. The blame game is a poor deterrent to cyberattacks.”

Lax Access Management Controls
Nearly two-thirds (64%) of large enterprises outsource at least one-quarter (26%) of their daily business tasks, which requires them to allow third-party access to their data. These outsourced functions can include anything from research and development, to IT services and accounts payable. This data access and sharing is necessary as a large enterprise scales its operations, but the (ISC)² research indicates that access management and vulnerability mitigation is often overlooked.

  • 34% of large enterprises say they have been surprised by the broad level of access a third-party provider has been granted to their network and data
  • 39% of small businesses expressed the same surprise about the access they were granted when providing services to large enterprise partners
  • Even worse, 35% of large enterprises also admitted that when alerted by a third party to insecure data access policies, nothing changes in the large enterprise’s practices
  • More than half (55%) of small business respondents reported that they still had access to a client’s network or data after completing a project or contract
  • 54% of small businesses have been surprised by some of their large enterprise clients’ inadequate security practices, and 53% have provided notification of security vulnerabilities they’ve discovered in large enterprise networks to which they have access

Investment in Cybersecurity Teams
The report also found that while small businesses have fewer employees overall, the proportion of their cybersecurity staff isn’t necessarily lower than in large enterprises. The study shows that nearly half (42%) of small businesses, with 250 or fewer workers, employ at least five dedicated cybersecurity staff. By comparison, 75% of large enterprises, with over 1,000 employees, have at least 10 staff members focused on cybersecurity. While many large enterprises may have more cybersecurity staff by volume, some small businesses have a higher percentage of security professionals working to implement best practices and defend data and networks.

Similar Best Practices Regardless of Size
The study found that, while they may have differing toolsets, small businesses and large enterprises approach data protection similarly by focusing on many of the same cybersecurity best practices. Both sets of respondents indicated that they employ the identical top-three best practices to protect their networks and data, including:

  • Regular automatic scans with antivirus and anti-malware programs
  • Blocking access to known malicious IP addresses through firewall configuration
  • Strong email filters to prevent phishing

For the full 2019 Securing the Partner Ecosystem report, please visit:

About the Report Methodology
Results presented in this report are from an online survey conducted by (ISC)² and Market Cube in November 2018. The total respondent base of 709 IT/ICT/cybersecurity decision makers included 354 from small businesses with 250 or fewer employees and 355 from large enterprises with at least 1,000 employees, all based in North America.

About (ISC)²
Celebrating its 30th anniversary this year, (ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our membership, more than 140,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit, follow us on Twitter or connect with us on Facebook and LinkedIn.

# # #

© 2019, (ISC)² Inc., (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CCFP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP and CBK are registered marks, of (ISC)², Inc.

Media Contact:
Brian Alberti
Corporate Public Relations Manager
(617) 510-1540