Businesses often need to demonstrate credibility when bidding for projects, but how much information is too much information? When should the information be provided, if at all? To what extent can the supply chain process become victim to sophisticated social engineering attacks and what are the key signs to watch for while attempting to win projects with new clients. This article is the first in a series of blogs aimed at exploring these issues. They are born out of some strange and unexpected questions which if answered, would undoubtedly demonstrate a lack of credibility.
When a business or individual has requirements that need fulfilling, and they approach a supplier, individual or service provider for help, asking for what they want is the crucial step. If you were to walk into a shop and ask for something, typically you would expect a member of staff to show you what they could offer you. In more complex scenarios where you had a problem but were not sure what you needed, it may involve some discussion but would also result in being shown what was available to help. If you were to approach a solicitor for advice on dealing with an issue, the same would apply; the discussion would flow based on what you need and the problems that you have. This example may sound obvious, but this is far from what happens in information technology, and requests for information during the procurement process are often suspicious.
We would not expect someone to approach a solicitor and ask about issues with previous customers. It would seem perverse to need a solicitor for a divorce and to ask questions about previous divorces. If we did ask such a question, a solicitor would be unlikely to answer. The matter would be private and confidential, and to discuss it would be very unprofessional. With the shop scenario, someone in a shop asking who had previously bought a product or service would be equally nonsensical.
Closer to IT security, consider for a second that you sell and install burglar alarms and offer a monitoring service, and a customer wants to buy your services. You would expect the discussion to include the size of the house, the number of rooms and other factors to determine the best level of security required. What you would not expect is for the customer to ask who previously bought your security systems, where you installed the alarms and your response times.
These examples when presented this way sound rather peculiar, but in fact, these are reasonable analogies of what happens in the IT sector. Although much of the IT services provided would not be a problem, IT security is a sector where discretion and client confidentiality are a matter of significant importance.
- Clients ask for a non-disclosure agreement (NDA) to be signed because they don’t want information about them or their projects to be disclosed
- Beyond the issue of a discussion breaching a signed NDA, discussing previous clients with new clients or potential new clients is unprofessional, not to mention being in breach of a fiduciary duty
- The very notion that in Information Technology, that suppliers and consultants disclose details of past clients’ projects to demonstrate credibility is so prevalent that IT professionals are an obvious target
- Businesses and individuals will feel compelled to answer questions at an unreasonable level of detail, for fear that not doing so might exclude them entirely from an opportunity
- Hackers often gather information from different sources to build profiles of an organisation’s systems and team structures in preparation for an attack
Here is a thought for consideration: You could ask for detailed information about a past project, and we could tell you. You would never be able to trust us with anything confidential, knowing that in the future, someone might ask us about your project, and we might discuss it.
The point is simple, discussing past clients and projects is unprofessional, unethical, and successfully demonstrates a complete lack of integrity and credibility; event more important about security-related matters.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.