“We became aware that a third-party service provider engaged by numerous merchants experienced unauthorized access to its system…” the letter from American Express read, and so it went.
Another breach, and another apologetic letter from a major respectable service provider. For the eagle-eyed observer, another supplier failure. We have highlighted several over the past twelve months, but the trend continues: if you use a major third party, consider whether they are secure enough for you.
What if you are a service provider?
In particular, what if you are a small or medium sized service provider, and your client is a big firm that will hit the news if its data is breached.
What do you do to convince them you are secure?
It seems a simple question, but it’s not as easy as you think. Most third-party assurance programmes are built by consultants of big companies for big companies. They ask questions in a way that specialists and big companies understand, and smaller organisations that don’t work in assurance just don’t. If ever you’ve been on the receiving end of these questionnaires, audits or similar, you know what I mean. And, if it’s a large client, it’s likely to be an important client. These questions consume time, and that is time away from your business. If more than one of your clients ask similar questions, then you might find you are working double time to maintain the same business as before.
We don’t have a solution for this. Well, we do, which is work with us and we’ll handle these questions, but that’s not the point of this blog. We can, however, suggest three things’ companies use to minimise the impact of being swamped in apparently reasonable security questionnaires:
1. Accredit.
Get accredited to a recognised standard. For many clients, this will be enough to demonstrate you care about security. Others may ask fewer questions. What should you accredit to? Some clients will ask for SOC2 – this will take too much time and cost for a most small and medium sized businesses to do properly, so we’ll assume this isn’t an option. A well-known alternative is ISO27001 – accrediting to the ISO standard for information security management systems. Again, this can be hard work, but not unachievable, and there is a lot of support available. If this is too heavy, then there are lighter accreditations: the UK government has defined the Cyber Essentials standard, and the IASME organisation has defined the IASME cyber assurance scheme: both are security accreditations that, together, offer a fair view on the quality of security in place without costing the Earth and taking an age. Your clients may accept these.
2. Have standard answers.
There are standard questionnaires, and standard responses. While the questions every client asks can be different, they aren’t that different, and asking a specialist to draft this can save you hours in the future. You can even build a supporting information pack in case the client wants to evidence some things. You don’t have to share everything – think cover and contents pages instead of entire procedures – but most of what they ask will be fairly standard.
3. Appoint a security person.
If you appoint someone to do this for you, whether internally or outsourced, and if they know what they are talking about, this will become easier for you. There’s a cost associated with it – and you have to decide whether or how to pass this on to your clients, but this is the easiest option for most small and medium sized businesses.
However you choose to respond to your clients, know that this challenge will only get harder. As larger organisations face more threats and more regulation, smaller suppliers are having to improve their security or choose to do business elsewhere.
If you do need help on keeping this manageable and ensuring you convey trust to your corporate clients, please get in touch. We have been doing this for a while now and understand the preparation you can put in to make responding to your client queries a breeze.