As most small and medium-sized enterprises (SMEs) are run on a low operational budget, most do not invest adequately in cybersecurity.
Hence, they are becoming preferred targets for cybercriminals, either as direct targets or as an attack vector to reach the bigger businesses, government agencies or critical infrastructures they are supplying to. We are currently witnessing a surge in supply chain cyberattacks, both in number and in sophistication.
The importance of SMEs is beyond question: According to ENISA, they are the backbone of the EU economy, representing 99% of all businesses and employ about 100 million people. The US economy is no different percentage-wise. SMEs provide services and products to bigger businesses and to the population at large. So as crucial parts of the supply chain, they must be protected from cyberthreats.
During research conducted by the Israel National Cyber Directorate (INCD) conducted, many SMEs complained of too many different requirements by different customers and regulators. Big enterprises invest a lot of resources in defining their own requirements for cyber-risk management according to standards like the ISO 27036, 800-161 and others, yet, often settle for suppliers’ declarations rather than insisting on valid audit results. According to the ISO survey, in 2019 only 36,362 organizations worldwide were certified to ISO 27001 – an international standard that stipulates over 100 different controls for managing information security.
Recognizing the risk across the board, the UK’s National Cyber Security Centre (NCSC) published supply-chain security guidance for businesses to be more in control of cybersecurity. The guidelines are quite thorough and educate the businesses on how they need to understand and manage risk originating with suppliers – but much of the work required is left to the businesses themselves.