So, you are a small business owner, and are about to land your first big client. Everything is going well, but before they sign the contract, they hand you a cyber security questionnaire. Now the panic sets in. Does this sound familiar?
If you feel like you don’t even know how to begin answering these questions or if you don’t think you can answer the questions in a way that satisfies your customer’s cyber security compliance obligations, you are not alone. For many larger businesses, these questionnaires become necessary to meet compliance with existing or new regulations, their need for due diligence, requirements of their own cyber security programs, and to meet the requirements of their cyber insurance policies. According to Sonatype, there has been a 430% increase in supply chain attacks in the last year. Couple that with the supply chain attacks that have made the news, like the Solarwinds breach, you can expect that these types of questionnaires won’t be going away anytime soon.
So, how should your organization handle the cyber security questionnaire? Before you answer, there are a few things to consider:
- Your client’s needs
- The data you will share
- Is the questionnaire relevant?
- Are there alternatives to the questionnaire?
It is important to make sure that, first and foremost, your answers to the questionnaire are addressing your client’s needs. You also need to make sure that you can actually share the data that is being asked of you. You don’t want to put your own security, or the security of your other clients, at risk. Always question if the information they are asking for is necessary; in many cases, they may have a blanket questionnaire for all vendors that might not be relevant to your business.
Once you have determined that you can answer the questionnaire, you can begin thinking about who in your organization is best equipped to answer the questions. In some cases, staff from more than one department may be involved. When it comes to addressing any concerns with your own cyber security protocols, your answers should take into account the following:
- Any current or previous cyber security assessments
- How you plan to remediate any current gaps in your cyber security planning
- How your cyber security plan puts you in compliance with various regulations
After your organization has done a cyber security assessment, it can provide insight into what your organization is doing well in terms of cyber security, and where your business needs to improve. By being able to demonstrate that you are taking measures to improve your organization’s cyber security, like following the NIST Cyber Security Framework, it shows that your business takes its cyber security seriously.
If your organization hasn’t done a cyber security assessment in a long while, or if you are unsure where to begin with answering the cyber security questionnaire, Quick Intelligence can help you. Our cyber security specialists can help you not only with answering cyber security questionnaires but help you to address any gaps in your own cyber security posture. In addition to improving your own cyber security, addressing these gaps can help you close more future business. Contact us now to learn more.