What passport furore teaches SMEs about "cybersecurity factor" in procurement
5 min read
13 April 2018
The contract to manufacture the UK’s post-Brexit blue passport was recently awarded to Franco-Dutch outfit, Gemalto, over incumbent British firm, De La Rue. A political storm ensued, leading to sections of the media and readers to describe the decision as treasonous.
The government has refused such claims but the fact that the deal will otherwise save the taxpayer £120m over five years wasn’t the sole reason a non-British supplier was chosen. No, the government cited Gemalto’s superior track record on cybersecurity, which says a lot about cybersecurity’s lofty new status, as a “kingmaker”.
Security is no longer the grudge purchase it once was – deemed necessary to mitigate the risk of reputational damage, operational disruption and lost business. A good reputation, robust security posture, and strong commitment to regulatory compliance can actually help organisations win new business and contracts.
As such, SMEs should treat cybersecurity as the competitive differentiator that it is, by enhancing security processes and investing more in technology and training. Businesses that do so can then place their security status front and centre to elevate themselves above the opposition.
Why it pays to keep customers and partners happy
Cybersecurity is also vital for customer retention, not just acquisition. Just think how many people you know who used to be with TalkTalk five years ago versus today. If people lose confidence in a business, they are more likely to jump ship and move to a competitor. Estimates suggest that TalkTalk’s breach cost the company more than £60m in total.
This can be less obvious but no less devastating in the B2B world, in which businesses may not need to suffer a breach to lose clients to a competitor. Today, enterprises are acutely aware of the risks posed by increasingly complex supply chain ecosystems, with hackers regularly seeking to compromise bigger organisations by targeting smaller partners and suppliers.
Naturally SMEs want to do business with larger enterprises, so it’s vital to not be considered a weak link in the chain. Furthermore, as bosses introduce new products and services, they must ensure they hold their third-party suppliers to higher security standards. To avoid being caught out, suppliers must regularly assess and refine security processes and technologies.
Meeting buyers’ expectations
On the other side of the fence, what is it specifically that businesses procuring products and services are looking for from their suppliers from a security perspective? First and foremost, the single fastest way to be overlooked for a contract is a failure to meet core cyber hygiene standards, such as that endorsed by certification schemes such as Cyber Essentials and ISO 27001/2. Good practice supported by such initiatives includes:
– Patching out of date software and applications
– Ensuring that safe provisioning and network management policies are in place
– Hardening the configuration of computers and network devices
– Securely setting-up and maintaining boundary firewalls and internet gateways
– Performing regular vulnerability assessments
To even bid for a government contract related to the handling of sensitive or personal information, organisations require Cyber Essentials certification. It is increasingly a prerequisite in the private sector too.
While practicing basic cyber hygiene is an important first step, SMEs should strive to improve their security posture as far as possible beyond minimum standards.
Data breaches are now an operational reality and businesses cannot afford to rest on their laurels and operate in the belief that their traditional security controls such as firewalls and antivirus will protect them. This approach is too reactive and has proved countless times to be woefully ineffective at safeguarding organisation against the latest advanced threats.
To significantly reduce cyber security risk, all businesses should look to commission regular assessments, such as penetration testing, as well as implement controls and procedures to swiftly detect and respond to threats that evade the network perimeter.
Nowadays, the risk of a data breach is far too big for any buyer to ignore. Whether working for a government agency, traditional enterprise, SME, or even a fledgling start-up, buyers are inherently risk averse and, in 2018, this means they will choose brands and business partners that will help keep their organisation’s data and reputation intact.
Only suppliers that meet the latest data protection standards and are firmly committed to cybersecurity best practice will thrive in an increasingly competitive and hazardous digital economy.
Andy Kays is CTO at threat detection and response specialist, Redscan