Small defense companies represent the greatest cybersecurity risk to prime contractors in the supply chain but the risks to smaller firms vary based on the type, not size, of the companies, says a new report by the cybersecurity firm BlueVoyant.

Small companies in the manufacturing, and research and development (R&D) segments of the defense industry are at “highest risk” and “When size and industry are combined, patterns become even clearer,” says the report, Defense Industry Supply Chain & Security 2021. “Small companies in the manufacturing and R&D segments are at significantly higher risk than companies in any other size group or industry.”

The report says the “strongest correlation” for cyber risk was with R&D companies employing more than 200 personnel, saying all these companies “were high risk” with network vulnerabilities. Of these, 66 percent were higher risk, having network vulnerabilities and “evidence of targeting,” and nearly 38 percent had network vulnerabilities, evidence of targeting, and evidence of compromise, it says.

BlueVoyant looked at three indicators of risk, including security vulnerabilities such as unsupported software, unsecured ports and email security, evidence of targeted attack activity, and compromise, which shows evidence of outbound communications to a malicious command and control server or infrastructure.

The study examined 300 small and medium-size defense suppliers, which all have sales below $1 billion, and range in employees from 1 to 500. The study also breaks down the companies into four industries: R&D; manufacturing; services; and other.

Some of the overall findings include that more than half of the companies in the study had unsecured ports, nearly half, 146 companies, had vulnerable ports and other “severe vulnerabilities” such as unsecured data storage ports and out of date software. It also says that nearly 20 percent, 49 companies, had multiple vulnerabilities and evidence of threat targeted.

About 7 percent of companies had all three indicators of risk and nearly 14 percent of small manufacturing companies had all three indicators of risk.

“Smaller manufacturers often have less resources to address cybersecurity and can lack senior-level management roles tasked solely with information security,” BlueVoyant says. “Moreover, despite being deeply integrated, often providing parts that are tracked through the entire supply chain, manufacturers are often not affected by attacks that occur farther down the supply chain and have little incentive to grow more secure.”

BlueVoyant also examined companies for adherence to the Pentagon’s cybersecurity standards for industry contained within the Cybersecurity Maturation Model Certification. It says 28 percent of the firms in the study appeared to not meet the lowest levels of the regulations.

“These smaller firms are suddenly facing a requirement that demands significant investment in new controls without necessarily having either the budget or the in-house expertise to implement controls,” the report says.

The report also says that given the small sample size of companies for the study, more variables and a larger sample size would “likely produce greater insights to help the DoD and prime contractors identify and more effectively manage risk.”