New ISC2 cybersecurity research contradicts the widely held belief that small businesses serve as the easiest conduit for cyberattacks on large enterprises.

The association, which provides cybersecurity training, surveyed more than 700 respondents at both small businesses and large enterprises to learn how data sharing risk is perceived. One-half of large enterprises view third-party partners of any size as a cybersecurity risk, but only 14% have experienced a breach as the result of a small business partner, while 17% have been breached as the result of working with a larger partner.

Contrary to popular belief, large enterprises are overwhelmingly confident about their small business partners’ cybersecurity practices, and 95% have a standard process for vetting their suppliers’ cybersecurity capabilities.

Wesley Simpson, ISC2’s COO, tells us the findings provide MSSPs and other cybersecurity providers a “conduit to have discussions with their customers about the perceived responsibility inherent in shared data environments in order to create a transparent working relationship.”

ISC2’s Wesley Simpson

“Shedding light on the kinds of poor cybersecurity habits that lead to breaches can position an MSSP as an educated authority on data security,” he said. “It can also help to reframe how customers view their supply chain so that they not only give smaller businesses a fighting chance in the procurement process, but they start to ask the right questions about the best practices that third parties of all sizes employ, and turn the lens on themselves as well.”

If prospective enterprise clients traditionally have viewed small businesses as riskier to do business with than larger competitors, there’s a high probability that these SMB providers have lost out on contracts that they were qualified for, simply due to the reputation of their segment, Simpson said.

“Likewise, when breaches do occur, it’s conceivable that a small-business partner could receive more scrutiny than is warranted due to the belief that they have less sophisticated cybersecurity practices,” he said.

Nearly two-thirds of large enterprises outsource at least one-quarter of their daily business tasks, which requires them to allow third-party access to their data. That can include anything from research and development, to IT services and accounts payable. This access is necessary as large enterprises scales their operations, but the research shows access management and vulnerability mitigation are often overlooked.

Some 34% of large enterprises say they have been surprised by the broad level of access a third-party provider has been granted to their network and data. Also, 39% of small businesses expressed the same surprise about the access they were granted when providing services to large enterprise partners.

Even worse, 35% of large enterprises also admitted that when alerted by a third party to insecure data access policies, nothing changes in the large enterprise’s practices. And more than one-half of small business respondents said they still had access to a client’s network or data after completing a project or contract.

Some 54% of small businesses have been surprised by some of their large enterprise clients’ inadequate security practices, and 53% have provided notification of security vulnerabilities they’ve discovered in large enterprise networks to which they have access, according to ISC2.

The report also found that while small businesses have fewer employees overall, the proportion of their cybersecurity staff isn’t necessarily lower than in large enterprises. In addition, while they may have differing tool sets, small businesses and large enterprises approach data protection similarly by focusing on many of the same cybersecurity best practices, ISC2 said.

“Our research indicates that there are lax practices that could negatively affect organizations on both sides of the partnership equation, and this represents a warning to and an opportunity for MSSPs,” Simpson said. “Close adherence to access management policies is critical to make sure that only those who should have access to data do, especially when a working relationship or contract ends. When security vulnerabilities are reported, an immediate mitigation process should be launched to ensure data integrity.”