How much info is too much? (Part 1)

For any business, more so for small businesses, there is a need to demonstrate credibility when bidding for projects, but how much information is too much information? When should information be provided, if at all. To what extent can the supply chain process become victim to sophisticated social engineering attacks and what are the key signs to watch out for while attempting to win projects with new clients. This is the first in a series of blogs aimed at exploring these issues. They are born out of some strange and unexpected questions which if answered would undoubtedly demonstrate a lack of credibility.

When a business or individual has requirements that need fulfilling, and they approach a supplier, individual or service provider for help, asking for what they want is the key step. Often what people want and what they need are different, but that is not relevant here. The enquiry will be followed with a response about what can be offered to fulfil requirements. This sounds obvious, but this is far from what happens in Information Technology, and requests for information during the procurement process are often suspicious.

If you were to walk into a shop and ask for something, typically you would expect a member of staff to show you what they could offer you. In more complex scenarios where you had a problem but were not sure what you needed, it may involve some discussion, but would also result in being shown what was available to help. If you were to approach a solicitor for advice on dealing with an issue, the same would apply; the discussion would flow based on what you need and the problems that you have.

It would not be expected that someone approaching a solicitor would ask about issues with previous customers. It would seem perverse to need a solicitor for a divorce and to be asking questions about previous divorces dealt with by the firm. If by chance such questions were asked, a solicitor would be unlikely to answer. The matter would be private and confidential, and to discuss it would be very unprofessional. With the shop scenario, someone in a shop asking who had previously bought a product or service would be equally nonsensical.

Closer to IT security, consider for a second that you sell and install burglar alarms and offer a monitoring service and a customer wants to buy your services. You would expect discussion to include size of house, number of rooms and other factors to determine the best level of security required. What would not be expected is for the customer to ask who previously bought security systems, where they live, when they were installed and what response times they were historically able to achieve.

These examples when presented this way sound rather peculiar, but in actual fact these are reasonable analogies of what happens in the IT sector. Although much of the IT services provided would not be a problem, IT security is an obvious sector where discretion and client confidentiality are a matter of significant importance.

  • Clients ask for a non-disclosure agreement (NDA) to be signed because they don’t want information about them or their projects to be disclosed to anyone outside of the project or company
  • Beyond the issue of a discussion breaching a signed NDA, discussing previous clients with new clients or potential new clients is unprofessional, not to mention being in breach of a fiduciary duty
  • The very notion that in Information Technology, the details of past clients’ projects must be disclosed in detail to demonstrate credibility is so prevalent that IT professionals are an obvious target
  • Businesses and individuals will feel compelled to answer questions (which should not even be asked) in an unreasonable level of detail, for fear that not doing so might exclude them completely from an opportunity
  • Information can be gathered from different sources to build profiles of client systems and team structures in preparation for attack

Here is a thought for consideration: ‘You could ask for detailed information about a past project, and we could tell you, but then you would never be able to trust us with anything confidential, knowing that in the future someone else might ask us about your project, and we could tell them’.

The point is simple, discussing past clients and projects is unprofessional, unethical, and successfully demonstrates a complete lack of integrity and credibility. This is more true than ever about cyber security related matters.