There you are, leading a startup as it gets its first shot at a big league contract with a major company. Everything is going great. The broad strokes of the agreement are worked out, and all that is left is for the lawyers to hash out the fine print.
And then, like that, everything comes to a screeching halt.
Your new customer has asked you to complete a third-party risk evaluation describing your company’s cybersecurity organization and posture. There’s a detailed questionnaire, and it is asking questions about third-party risk and other things you’ve never heard about.
“I don’t have a cybersecurity program,” you think to yourself. “I’ve been too busy building a business.”
For the past 15 years, large enterprises burned by news of breach after breach have diligently invested in cybersecurity. Now, large enterprises are doing more business with smaller organizations. In the past, most enterprises only required third-party risk evaluations for those vendors who met a certain threshold. Those days are over. Small and medium-sized businesses regularly hold valuable data on behalf of both their corporate partners and customers. And there are no businesses that are so small that they escape the notice of hackers. In fact, small businesses are often viewed as vulnerable targets with less technical savvy and smaller security budgets.
Breaches of third-party partners that trickle back to major enterprises can cause massive damages. In April 2018, a breach of chat application-maker (24)7.ai exposed the customer payment data of several companies, including Best Buy, Delta, Sears. In June of that same year, hackers breached Ticketmaster through another chat application. In each case, these companies faced significant backlash for a security fault that ultimately wasn’t their own.
It’s simply not advantageous for enterprises to ignore the risks that all of their partners might create, and large enterprises need to ask tough questions of their vendors.
Data Security Doesn’t Need to Be a Ceiling on Your Growth
So what should you do if you suddenly discover that the lack of security is hampering your ability to find new clients?
Most firms start by conducting an assessment of your company’s current practices. With that baseline, the experts can work toward an actionable, incremental improvement plan that takes their needs and resources into account.
Building a cybersecurity program and improving your security posture isn’t an overnight endeavor. It can take years. However, all businesses should rely on the simple tenets of the security lifecycle – assess, detect, improve, monitor. Gain an understanding of what your risks are, implement a way to detect issues, create a plan to improve your posture, and monitor the progress you are making. The depth, focus, and investment in each of these pillars will be different for every organization, but it should be the focal point of your cybersecurity strategy.
Other than technical protections, consider what information you actually need to collect and store, and how you are protecting this information. By reducing the meaningful data that your business collects and stores, you can dramatically cut risk for both your business and prospective partners.
Corporate requirements reflect consumer demands
Running a business can feel like a never-ending battle, with new challenges every day. Cybersecurity is a challenge you simply can’t take your eye off of.
The trickle down of cybersecurity practices won’t stop with small businesses. Security hygiene has already spread from executives to consumers. And consumers, in turn, are demanding better security from every company they do business with. Your customers and partners are expecting security, your business should reflect this.