Cyber Security becomes a dealbreaker in winning Government and Private Sector Contracts. What do businesses need to do to win contracts?
An increasing trend both in New Zealand and internationally is the growing presence of cyber security questionnaires in RFP, RFT and tender documentation. Five years ago, you would rarely come across a Cyber questionnaire. These days, it is almost a standard inclusion and it has recently become a dealbreaker with Cyber Insurance becoming a mandatory–criteria in many contracts. So how do you go about responding to a Cyber Security Questionnaire?
Develop a quality BCP Plan
One of the first steps in the process is to develop a quality business continuity plan. The Covid 19 pandemic has reminded us of the importance of these. Your IT Recovery protocols will be built into your business continuity and disaster recovery plan. Take the process seriously and undertake a comprehensive review of your servers, back-up servers and cloud solutions if any.
Use the questions as a guide for what the clients wants
Most of the time the client has a set of standards and expectations which they expect you to meet. They may not state these outright, however, the questions they ask provide a good guide. It’s important to take the hint – and put in place what they want to here. For example, they may ask if you have a server in your offices and if there is 24/7 security in your offices. They may also ask for the security processes in place for entering your server room and who has access. Even if you don’t have any of this in place, it’s important to put it in place and answer yes to these questions. Where there is a 3 month or so lapse between the contract award date and the implementation, you can undertake to put the measures in place prior to the commencement of services.
Communicate with your suppliers and leverage on their expertise
For companies with limited access to IT knowledge and resources, your IT consultant and product suppliers can be a valuable resource. Most of their internal tech personnel have experience responding to cyber questionnaire and can provide assistance. In addition, where cyber questionnaires ask you to advise of the ‘security levels’ of your servers or systems, it’s important to note, that they generally don’t refer to your internal systems, but those of your cloud service providers. Take for example, a small law firm bidding for a government contract who uses AWS for their data storage in the cloud. You will leverage on the security certifications of AWS in your response – not your internal security.
Upgrade your systems and processes where appropriate
Depending on the size of the contract and opportunity, companies may need to upgrade their systems and levels of security. This may often be a costly process, and one that you may not want to invest in unless you are successful in the tender response. There are two ways around this issue. The first is to commit to undertaking the upgrades in the response, and explain that these are in process and will be completed prior to the completion of the implementation period. The second is to confirm you have these in place and make provisions for these to be in place. You will then implement them upon contract award.
Make the link between data security and privacy
In any response, and in light of the European Union’s strict privacy laws, its important to talk about how personal information will be processed and where it will be stored. This needs to be explicitly detailed in any response. In addition, demonstrating an internal process for information classification (for example, unclassified, office use only, and sensitive) will further reinforce exemplary approach to private information.
Monitoring System Use
Your responses to Cyber Security related questions need to clearly articulate who will be using the system and where client data will be stored and process. Most organisations prefer you to store data in the country in which they operate or at least the region. For example, storing data through the cloud in a data centre in Thessaloniki for a company based in Athens is generally fine, however, storing data in Asia is generally not preferred.
Credibility through audits
Robust penetration and comprehensive audits are critical to maintaining the integrity of any IT systems. It’s important that the comprehensiveness of these are detailed in your response to any cyber related questions in your tender. Inviting and allowing the client to audit and test your systems that will contain their data is a great way to express and demonstrate your confidence in you system and processes.
Human resources security
Sometimes we have a substantial focus on the IT side of data security we neglect to focus on the human resources aspect of it. When detailing your cyber security processes in a tender response, it’s important to talk about the through vetting processes you have in place for personnel. Criminal record checks, government checks, and thorough background checks are critical.
In addition to your internal incident management process, it is important to detail your communication processes in place in the case of an incident to your client. You will need to cover items such as how the client will be notified, when the client will be notified, and who else would be notified.
So how can IT consultancies capitalize on the growing Cyber threat?
IT consultancies are in a unique position to capitalize on the growing threat of cyber attacks, particularly on small and medium sized businesses. The beauty of tenders is that they have a deadline, and most companies will want to comply with the requirements as part of their tender.
This is a compelling sales opportunity where you can generate the lead, and provide complimentary assistance with responding to cyber and other security related questions in the tender response with the view to ultimately providing the services or immediately putting them in place.