By Bindu Sundaresan, Strategic Security Solutions Lead at AT&T
Data security breaches suffered by big, high-profile companies earn the most attention, and rightfully so, but the reality is that even the smallest companies and vendors fall victim to cyber-attacks.
Many hackers see smaller companies as weak links and the entry point to gain access to their larger clients, or an easy access point to get valuable credit card information, social security numbers, or other private information. In fact, a study from BitSight Technologies found that one-third of all retail breaches were caused by third party security failures, indicating that some smaller companies or vendors may have been a conduit to access larger retail companies. 
Organizations that contract with smaller firms are putting security front and center. The current threat landscape has forced enterprises to see to it that their vendors have suitable security policies, procedures, staffing and safeguards in place.
For smaller companies aiming to earn big contracts, this can pose a serious problem. As a result, your approach to these issues can mean the difference between closing and losing a deal.
As a supplier, making your customers comfortable around your own security posture should be a priority. While it is unreasonable to suggest your operations are immune to attack, gaining their confidence is possible through appropriate preparation.
For small businesses and third-party suppliers looking to enhance their security capabilities and foresight, and convert potential customers into collaborators, we suggest following a four-step approach.
Anticipate your customers’ questions.
When looking to contract with a third party, companies will ask a number of questions to determine if the risk associated with outsourcing a service is greater than performing the task in-house. They will also want to know if, and how, business security goals are aligned. Anticipating possible questions, and being prepared to answer them, can help facilitate the selection process and put your customer’s mind at ease.
There are standard questions all companies should be able to answer without hesitation. What are your business goals? How long have you been in business? Do you conduct background checks? What is your view on security? Do you have an incident response plan in place? How soon will a breach be reported in the event of an attack?
Preparing and rehearsing your answers to these types of questions will allow you to better position your business as a stable, service provider that pays attention to security. Your responses should also go beyond simple answers.
Have proper documentation on hand.
Unfortunately, successfully answering your customer’s questions isn’t always enough to win over their business. Companies will expect to see the results, and proof of nearly every answer, in documented form.
If your HR policy includes background checks, be ready to pull up the most recent inquiries. If you provide security awareness training for your employees, keep a copy of the training module on hand.
Businesses should be proactive in providing documentation and always ready to supply a copy of their security policy and incident response plan. Delays in sharing paperwork or denying access to certain documents may raise red flags to potential collaborators.
Offer to develop custom contracts.
Contracts are the foundation for any business relationship. When customers review contracts from a security standpoint, they want to be sure that the contract reflects their own security standards. If industry standards and regulatory compliance (e.g. ISO, PCI, HIPAA etc.) are requirements for your potential collaborator, these data security requirements may be subject to negotiation and could extend to your business.
Companies may request authorization for their organization to conduct regular audits or assessments, and define appropriate timelines for breach notification. It’s also common for companies to consider how contracts and data will be handled – even after the relationship dissolves.
Participate in real-time monitoring and assessment programs.
If accessing valuable customer data and sensitive information are a part of your business operations, potential collaborators may request onsite assessments, regular audits or real-time monitoring as part of their risk management program.
Being open to site visits once a year or participating in streamlined audits will signal that security is a priority for your enterprise. We encourage all businesses to communicate expectations regarding cybersecurity ahead of time, and to establish assessment programs based on trust and verification.
Following this four-step approach can help set the stage for successful business relationships in a world where cybersecurity attacks are increasing in both the number and sophistication. Effective preparation will go a long way in helping you position your business as a service provider focused on security, gain your customers’ confidence and help them avoid the reputational damage of a cybersecurity breach.
Bindu Sundaresan, Strategic Security Solutions Lead at AT&T, describes her role at AT&T as a “security professional”. The issues on Sundaresan’s radar are security and mobility, security and cloud computing, and how these topics relate to industry verticals like healthcare, retail, financial services and government entities.