Third parties cause ICT risks in SMB

In Spain, as everybody knows, most of the business fabric is made up of SMEs. According to data provided by the Ministry of Employment and Social Security in June 2018 in Spain we have 1,312,813 companies. Of which, 87% turn out to be micro-SMEs (1 to 9 employees), 11% are small companies (10 to 49), 1.9% are medium-sized (50 to 249 employees). And only 4,578 are large companies with more than 250 employees.

Studies by recognized entities in this field, such as the Ponemon Institute, mean SMEs are increasingly vulnerable to cyber attacks. In the report published by this organization in 2017, it is shown that up to 64% of the companies interviewed declared having suffered a cyber attack, of which 54% would have concluded with information leaks. And only 55% of the respondents in the study claimed to have an incident response plan. Which reflects that information security management in the SME has still a long way to go.

SME must not only apply the appropriate security measures to guarantee the business continuity  and the services availability in order to be more competitive and to preserve its reputation; but in the current situation we live in Europe, and more specifically in Spain, any company, including SMEs, are obliged to manage the ICT risk for regulatory compliance. Starting with RGPD, and continuing with NIS directive, the National Security Scheme (ENS) for those that provide digital services to the Public Administrations, and soon also ePrivacy.

One of the aspects analyzed in information risk management is the relationship with suppliers. Regulations and information security standards such as RGPD, ENS, ISO 27001, ISA 62443, NIST Cybersecurity Framework, NIST SP 800-53 guide, SOC2, and even sectoral regulations such as EBA recommendations in the banking sector, consider supplier risk management as a key aspect.

With regard the risk introduced by relation with suppliers to the company, it is worth noting in the Ponemon Institute's study that the second cause for the information security breaches is precisely the relationship with third parties; that is, with suppliers.

It must be taken into account SMEs in Spain have a high degree of outsourcing, both for the  ICTs operation and for other services management , such as tax, labor or legal advice, also consuming more and more third parties cloud services. If a company puts its main information assets in hands of another, it is unavoidable it defines minimum security requirements when choosing and hiring it. Therefore, both from the service provider point of view, as well as the consumer thereof, it is highly recommended companies establish security criteria in relation to ICT services.

And particularly these SMEs, because they lack specialized resources to manage these security aspects, they have a greater difficulty in ensuring compliance with all obligations related to information security; and consequently the possibility of an incident can have especially negative consequences.

In this sense, LEET Security Rating methodology greatly facilitates these tasks. On the one hand, it offers a control framework with different levels that allow determining the necessary requirements for the contracted services, facilitating in this way the comparison between various proposals. And at the same time, to the suppliers or managers allows them to prove they have the technical and organizational measures corresponding to the level of their rating.

As a user, demand it. As a provider, use it to acredit your security.

All you need is LEET.

Suscríbete to our news form this link