At Pensar, we've written a lot about getting secure for your clients. We even built a checklist to help marketing agencies win in bid processs with a solid cyber security strategy. This time, however, we thought we'd play devils advocate and look at the other side of the coin. Should agencies make clients do cyber security training?More often that not, when a cyber attack or data breach hits a business, there's a domino effect where an entire network is affected:
When you look at the stats, it's worth thinking about partner-to-partner cyber security and security along your supply chain - which includes vendors, service providers and clients.
While there's articles all over the web urging companies to watch suppliers and services, there's little advice for marketing agencies around risks their clients pose. But in reality, it's all the same thing.
Marketing agencies - especially digital agencies - often share huge amounts of valuable, sensitive information with clients on a daily basis. You're handing over lots of customer data and intellectual property, not to mention contracts and billing information. If you use open book project management, you might even give clients direct access to your sensitive data.
But in August this year, the BBC reported more than two thirds of UK business directors aren't trained to respond to cyber attacks. In the 2017 CyberEdge global report, 90 percent of firms said low staff awareness is the biggest obstacle to secure practice. It's no surprise then that human error is the top cause of IT security incidents.
In this sense, clients pose the same risks as any other business partner. Or, depending on the amount of access they have, an insider. If there's a disconnect between security practices, and clients are unaware of threats, then your business is at risk.
If cyber security starts with people, then strategy starts with training. All businesses should build a culture of cyber security. This will keep them protected in the long run, and enable compliance with new regulations like the GDPR. Here are the key things to look for when thinking about client security training:
While you don't want to interrogate or be rude to clients, it's important you ask the questions around cyber security practices. If they are unsecure, it's unlikely to be deliberate, and they will probably thank you for pointing it out.
Each business has the potential to make another vulnerable, so we all owe it to each other to have proper strategy and defense in place. But if you feel a client needs to up their security practices, demanding better training might not be the answer.
If it's a prospective client, you might end up on the wrong foot. And if it's an existing long-term partner, the conversation is always tricky, and you could risk ruining business relationships. Clients may push back and see the training as outside of or unrelated to contractual agreements. Or they might genuinely be upset and think you don't trust them.
Besides, even if you did get them to do a course, as a standalone solution these often lack depth and the human element. People tend to view security as a 'tick box' exercise in this context, and will quickly go back to old ways even with a certificate. If you want cyber security to stick, you need to extend your internal practices to your clients and work as a team.
In a report by the Ponemon Institute, research found that many companies are still living in uncertainty about whether third parties have experienced a data breach, or what their security practices are like. But it shouldn't be this way. Businesses should be openly sharing knowledge with each other around cyber security to protect themselves, and each other.
If you're concerned about your clients' practices, the best way around is to start up an honest, collaborative dialogue about it. You're both on the same team, after all!