Today's enterprise customers are more attuned with risk and security and because of that they want to work with suppliers which take security seriously. This is especially so as there have been many high-profile breaches which originated from a third-party supplier. So, the best way that Small Organisations can get and keep enterprise customers is to demonstrate that they understand risk and security.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Introduction to getting & keeping enterprise customers
Today, we're going to be looking at what Small Bcan do to ensure that they keep the enterprise customers and what enterprise customers are particularly interested in knowing about a Small Organisations when it comes to security.
Supplier pre-qualification questionnaires
When you first engage with larger enterprises or organisations, they normally ask you to fill out a Pre-Qualification Questionnaire (or PQQ) and one of the first few questions that's normally on there is: "Do you have Cyber Essentials Certification?"
It's a pretty straight forward certification that provides assurance that you have covered the basics of cyber security controls. The UK Government made it mandatory for any outsourcing of government or local authority procurement. It only costs £300 a year for the basic certification. You can spend more for the plus versionm and it's really straightforward.
It makes sure you've covered all the basic security controls, so that you get on to the bigger questions that they're interested in.
Your competition does the basics for their critical customers
The other thing about the Cyber Essentials Scheme is that even if an enterprise procurement process hasn't made it mandatory, as a Small Organisations you will be competing against larger suppliers who may have 'Cyber Essentials Plus.' So, at least having the Basic level puts you above those that don't have any. And often it will mean that you've got fewer questions to answer.
What some enterprises may do to ensure the security of their supplier organisations if they don't have Cyber Essentials Certification, is to ask you additional security control questions. If you really don't know how to answer those, it's going to show. So, if you've got Cyber Essentials Certification, firstly it could mean there's less forms to fill in. Secondly, it shows commitment that at least you've taken the basic steps even if you haven't moved on from there.
And the Cyber Essentials Scheme is an evolving standard and more and more organisations are making it mandatory. If you can get it done sooner it makes life a lot easier.
Create the appropriate security policies and procedures
The first point I'd like to make, is that you need to have policies and procedures in place. The policies that you have in place will vary depending on the Organisations you're in, what you're supplying, who you're supplying it to, the industry you're in etc. Equally, if you want to show that you're a cut above other suppliers, having those policies enables you to convey what it is that you're doing to make sure that you are backing up what you're saying.
As a minimum, you need a Security Policy and a Data Protection Policy. The others that will possibly add value, could include a separate Password Policy, a Firewall Policy, and a Starters, Movers and Leavers Policy. Again, it depends on what you're doing, what's important, what's not important and what Organisations you're in.
For example, your Data Protection Policy will feed into who you're using and where you're storing the data, which is what a lot of these organisations are really interested in. They want to know who your suppliers are and how you know the information they are giving you is being protected. This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.