Cyber Security for Service Providers

by | Jan 25, 2022 | Articles, Cyber Security Culture, Incident Response Management, Business Leadership, Cyber Security Consultancy, Cyber Security Planning, Cyber Security Regulations, Supply Chain

Running a business today often requires plugging in to and partnering with a wide array of service providers to ensure they can meet both the demands of your customers and remain competitive. Whether those partners are providing IT Services, website development, social media management, marketing, accounting or legal support, outsourcing and sharing data introduces risk in to business operations.  The reliance many businesses have on their partners now, and how central they are to the daily operations of a business, can often lead to complacency and assumptions when it comes to whether the suppliers themselves are operating with a robust cyber security strategy.

So, as one of these service providers what can you be doing to play your part in minimising risk to your business clients, and building confidence amongst businesses?  To get us going, here are our top 5 things you should not be doing (with a little bit of what you should be doing)…

  1. Asking for client logon credentials. There really should be separate accounts setup for you to access what you need to.  Also, the principle of least privilege applies here.  Is there a way that you can do what you are contracted to do for your client with the least amount of access to their systems and information?  If there is, then you should be following this principle.
  2. Storing logon credentials insecurely. Seems pretty obvious, however the amount of times that breaches occur due to storage solutions being configured poorly means that this should not be taken for granted.  If you wouldn’t want your valuable data stored the way you are handling your clients’ then it needs some attention.
  3. Accessing client accounts from public networks. The risks associated with accessing valuable business and customer data through insecure public networks have the potential to be crippling.  In the same way that we would be cautious to do this in our personal lives, as a supplier you should exercise this same caution.
  4. Accessing client information from an unencrypted device. It’s not just insecure public networks that present risk, devices can be targeted by cyber criminals.  It is therefore imperative that if your team is accessing your client’s data they must be using encrypted devices.  One way to ensure this is to restrict use of personal devices for client work.
  5. Not providing a contract with SLA’s (Service Level Agreements). Demonstrating to your customers that you are committed to operating to some agreed standards, and doing so proactively, will go a long way in building their trust from the beginning.  Also ensure that you have some flexibility around SLA’s, as this will enable a more collaborative relationship to grow from the beginning.

Committing your business to doing things properly and ensuring that they are embedded in to everything you do will go a long way in protecting them, and growing customer confidence.

Certifications and accreditations can demonstrate high levels of competency and capability for service providers, however if they are sought purely as a vanity exercise, are in lieu of a cyber security strategy, or to open up new customer opportunities they are tantamount to a tick-box exercise with no real value.  To have a seal of approval and not operate to the principles it fosters is only going to cause problems when things go wrong or when your customers ask questions, or even audit you against those standards.

Ultimately, as a supplier, what you are seeking to avoid is any form of security, data or information breach occurring as a result of your systems, processes or integrations with your clients.  Not only would this compromise the information or systems, but would also impact your client and their customers.  The impact on your customers’ supply chain could be catastrophic.  Beyond this there is a far reaching reputational impact both on your business as the supplier and for your customers with their end users.

Beyond the practical steps detailed above, there are some additional factors to consider when ensuring your cyber security position is as robust as you can make it ahead of engaging with customers.  When developing your Contracts they should be built to both ensure your requirements are met and you get the terms you need to feel confident that you can deliver for clients, but there has to be room for the clients’ specific needs.  This sort of flexibility not only gives clients some ownership but also could open up areas for development as clients are very good at pushing their service providers.  Alongside this, and we would recommend this for all organisations, developing and implementing an Incident Response Plan which encompasses not only the response internally when a cyber-attack hits, but also how you will communicate with your customers, manage and support the impact to their business, and work with them to learn from the attack.

Not everything comes down to practical steps and processes / documentation, there are some fundamental behavioural elements to securing your business and client relationships.  They may seem obvious, but it’s important to take a moment to consider if you really have these embedded in to your culture.

Be transparent – building solid business relationships begins with openness and trust.  If your business doesn’t have something in place, or is working on developing what the customer needs, be open about this and bring them on the journey with you.

Treat them like you treat your own business – fairly self-explanatory, however this is not always set in our business culture as it’s something that has to be a part of onboarding employees and also their ongoing development to ensure that they don’t lose sight of the importance of the customer.

Don’t do the bare minimum – as you can see throughout this piece we have looked at a wide range of actions you can take as a supplier, therefore doing the bare minimum not only exposes your customers but your business too.  We always see with our clients that the investment in better securing the business leads to a wider range of outcomes such as increased leadership & staff confidence, which in turn impacts on their delivery for customers.

If you are left feeling like you need additional support or insight in to how you can best secure your business, we are on hand to provide security assessments or support your leadership team with our business leaders training.  Investing time in developing your supplier cyber security strategy could lead to the discovery of differentiating factors vs your competitors, or identification of a core customer benefit you didn’t see before.