Demonstrating security measures is a useful marketing tool
Stand out as the supplier of choice by demonstrating the cyber security measures you have in place.
Make it easy to find the level of security measures in place and enable your organisation to stand out from the competition. Cyber security compliance then becomes another marketing tool rather than another task. Displaying the level of security measures you have in place on your website can enhance your position as a trusted supplier.
Implementing the government backed Cyber Essentials or Cyber Essentials Plus, ISO 27001:2013, PCI DSS Compliance and having regular penetration tests (or a combination of these) makes it easier for potential customers to see you as a trusted supplier.
A powerful marketing tool
This becomes a very powerful marketing tool for your business when guidance from the ICO for data controllers is to ‘choose a data processor that provides sufficient guarantees about its security measures’
This is even more important when breaches such as the Typeform breach in July 2018, can affect multiple data controllers. In this particular case Travelodge, Fortnum and Mason, the Liberal Party, and Monzo were among some of the organisations affected.
Providing sufficient guarantees
The ICO’s guidance What do we do when a data processor is involved? states the following:
- you must choose a data processor that provides sufficient guarantees about its security measures;
- your written contract must stipulate that the processor takes all measures required under Article 32 – basically, the contract has to require the processor to undertake the same security measures that you would have to take if you were doing the processing yourself; and
- you should ensure that your contract includes a requirement that the processor makes available all information necessary to demonstrate compliance. This may include allowing for you to audit and inspect the processor, either yourself or an authorised third party.
Further to this, the ICO guidance includes a checklist to use when assessing security, these include using approved frameworks and certification schemes as follows:
- We have put in place basic technical controls such as those specified by established frameworks like Cyber Essentials.
- Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism.
- We ensure that any data processor we use also implements appropriate technical and organisational measures.
To demonstrate due diligence on the security measures in place, data controllers have been asking many of their processors to complete third party questionnaires. This helps them understand what security measures have been imlemented. Interestingly, many of these questions align to ISO 27001:2013 and a large number of organisations have decided to follow this route.
Make it easy to choose you as a data processor
As a Software as a Service Company (SAAS), acting as a processor for numerous controllers, vague statements such as ‘we have put in place appropriate security measures’ do not help to determine how robust these measures are. The MOD, to secure its supply chain, has mandated that Cyber Essential or Cyber Essentials Plus are required as a minimum standard, which also applies to other sensitive Government contracts. If you want to work with the MOD you need to have these security measures in place as a minimum, and be able to demonstrate it.
A data processor that “provides sufficient guarantees about its security measures” and details this on their website may have a higher chance of being selected from those that don’t, and this helps to raise their profile as a trustworthy supplier.
Cyber security compliance is increasingly becoming a strong marketing tool in our digital age as the new General Data Protection Regulations shape how we seek out new data processors.