Instead of random inspections, there's also the liability threat. That's where you tell contractors that if your network suffers any kind of a breach that is eventually traced back to the partner's system, they will be held liable even if the dollar amount of that liability exceeds the value of the partner contract. That will get their attention at contract-signing time.
We're not just talking about virus and other cyber creepy crawlers that sneak from their system to yours. One of your biggest assets when it comes to your partners is one specific intellectual asset: the knowledge of how to get into your network, what your network can do and any specific access credentials and procedures.
If a cyber thief hits your SMB supplier, they might steal those credentials and sit on your network, observing and waiting for the moment to strike. And all this time, it will look to your people like it's an authorized supplier doing its thing.
But the potential attackers might go a different route. For the actual attack, they might want to not leave a trail of geeky breadcrumbs to that particular supplier. Once in control, they might want to do more damage to more company partners before that SMB realizes it has been infiltrated. Therefore, they could just as easily examine the password and other credentials and use that knowledge—on top of the exact path used—to make educated guesses about some of your other credentialed users and try and impersonate them instead.
This all assumes bad actions happen to your SMB partner without their knowledge. But what if this is treasonous activity with their knowledge? What if it's an employee of this SMB contractor who decides to try and steal and sell your data to one of your competitors?
Yes, there are so many ways that lax security performed by your SMB partners can become your problem. Putting the CEOs of those companies into the hot seat with you isn't a bad way to go.
Sign up for CIO Asia eNewsletters.