How to prove to your customers that you can be trusted
The recent security vulnerabilities discovered in the MOVEit file transfer system has affected dozens of companies and millions of individuals who have had their data compromised and stolen as a result. Organisations a diverse as the BBC, US Department of Energy, Boots the Chemist, Oregon and Indiana local government and payroll provider Zellis - all around the world from Canada to India to UK to USA and Germany. Web scanning engine CENSYS has identified at least 3000 vulnerable MOVEit servers on the internet.
To their credit, Progress Software who provide MOVEit appear to be handling the incident in a professional, clear and transparent way unlike other recent security breaches (yes Capita, we’re looking at you).
Not all publicity is good publicity
But if you are a supplier of software or services to other businesses, charities or public sector – how can you prove to your customers and potential customers that your systems and services are secure and can be trusted?
How can you give them confidence to trust you with their two most precious possessions - their data and their reputation?
There are two simple answers:
1. Certifications
2. External independent security help
Certifications
By getting certified to a recognised security standard, your clients are able to trust in the certification scheme as providing independent verification of your information security. Increasingly we are seeing cyber security certification being a requirement for responding to RFP across all sectors and insurers are starting to ask for them as well!
Starting with Cyber Essentials the UK scheme designed by the National Cyber Security Centre – it is already proven to reduce the likelihood of needing to claim on cyber insurance by 80% and is a pre-requisite for many UK local and national government contracts. Cyber Essentials focuses on 5 essential areas of basic cyber security which prevent the majority of cyber attacks. With certification costs starting at just £300 per year, it is a very effective and economic scheme for any business to achieve. It also provides £25,000 of cyber insurance should the worst happen.
Cyber Assurance is the next step up – designed and run by the same people who run the Cyber Essentials Scheme. Cyber Assurance builds on Cyber Essentials to expand the scope to include data protection and GDPR, Business Continuity, Asset and People Management and how to respond to and manage Security Incidents. This is useful to demonstrate a wider level of cyber security and resilience to problems and uniquely it is one of the few ways to get a certificate that demonstrates GDPR and Data Protection compliance for your business. Self Assessment starts at £300 per year whereas an audited level two assessment starts at £1400 per year – depending on the size and complexity of the organisation.
ISO 27001 is the internationally recognised Gold Standard for Information Security and is widely accepted and requested by larger clients and public sector organisations. Provided the certificate is issued by a UKAS accredited audit firm, and the scope includes the whole business, it provide the ultimate assurance for clients and stakeholders that your business is operating and being managed securely.
External Help
Another way to demonstrate you take cyber security seriously is to rely on outside professionals either for ongoing advice or to fully outsource to someone who can provide a managed security-as-a-service or compliance-as-a-service. Someone like Cool Waters would you believe.
You are experts at running your business, making your products, operating your services - but that does not mean you are experts in cyber security - and why should you be? You may well rely on external help to audit your books, gain certification to ISO standards for quality and environmental impact, manage HR problems and motivate your sales team or generate sales leads or run your marketing. By working with a cyber security consultancy you will be able to tap into wider and deeper experiences than you are likely to be able to recruit (of afford) to retain as permanent members of staff.
Our Managed Cyber Team service is a great example of this - providing a end-to-end managed cyber and information security service which looks after everything from the desktop to the cloud, leaving you free to focus on running your business and your clients impressed that you are punching above your weight in the security stakes and can be trusted with their most precious commodity - their data.
To chat more about any of these topics, arrange an initial informal chat with our team here: https://www.cool-waters.co.uk/lets-talk