Cyber Security in SMEs a potential hurdle for procurement

Cyber Security in SMEs

While most companies are slowly becoming aware of the need for cyber security, this is typically viewed as an ‘in the future’ objective that is not critical for day to day business. Cyber security, as has been previously discussed, should always be viewed as businesses critical, particularly for those who deal with client data or those who deal with innovations.

Yet there is now an additional reason why all companies should prioritise their cyber security, and that is new procurement priorities.

KPMG, the management consultant group, conducted a new survey that has found that 86% of UK procurement managers at large scale organisations, with several sectors participating, said that they would consider the removal of a supplier qualifying as an SME if that SME was found to have a data breach.

70% of respondents to the survey also felt that in regards to cyber security in SMEs – 70% of SME could do more to protect client data from external acquisition, and almost all UK procurement managers polled, 94 % of UK procurement managers are is agreement with the assertion that cyber security standards of their suppliers are vital when awarding a contract to an SME.

This is not just a simple matter of assuring those in charge of procurement that your system is secure, but two-thirds of procurement managers now require their suppliers to demonstrate cyber accreditations.

While SMEs are generally required to self-fund such tech accreditations, many bids for tender now require accreditations such as the UK Government’s Cyber Essentials or the PCI DDS scheme.

For SMEs this is yet another potential hurdle in their ability to secure tender. While many would stress that such is necessary in order for the topic to resonate with SMEs, in the immediate term it equates to additional resources, skill and monetary, strained in order to meet the cyber security requirements within a bid for tender. Most SMEs do not function with the extra capital to immediately address such a request, particularly since this may entail an entire system overhaul.

Already concerning public sector contracts there has been an increasing occurrence of requiring cyber security, with this trend now occurring within the private sector as well.

47 % of those who responded to the survey state that within their existing contracts there exists a clause under which suppliers are contractually obliged to reveal if an incident occurs that draws into question the cyber security that has been implemented. This clause oftentimes could be a direct and reasonable cause of the termination of relations with said supplier.

And even more companies among those surveyed are working to ensure that a similar clause included in upcoming contracts.

For more KPMG information on this issue, please click here.