Supply Chain Cybersecurity and Small and Medium-Sized Enterprises (SMEs): Exploring Shortcomings in Third Party Risk Management of SMEs

Abstract

Small and medium-sized enterprises (SMEs) have long been known to be a weak link in supply chain cybersecurity. Despite their crucial role in the global supply chain, SMEs and their struggle to increase cyber resiliency and improve their defenses is understudied in academic literature. This paper uses qualitative research methods to conduct an empirical study of the challenges SMEs encounter when participating in third party cybersecurity risk assessments. Using interviews with cybersecurity and supply chain practitioners, this study provides an overview of four major risk assessment methods (i.e., questionnaires, audits and certifications, security rating services, and direct testing) and the problems that arise when companies apply tools designed for large corporations to SMEs. Results discuss how and why traditional methods fail and offers insights on how to improve third party risk of SMEs moving forward.