Go-to-Market Security Issues Every SMB CEO or Sales/Marketing Exec Needs to Prevent

Five Key Areas You Must Proactively Manage

Mark Coronna, Area Managing Partner & CMO, Chief Outsiders
with Mark Sheehan, Principal & CIO/CISO, Stowell Solutions Group

This article is a practical guide to being proactive in preventing security issues in your go-to-market (Sales and Marketing) programs and operations. There are many services to use once you have an issue, but in this article, we are offering a checklist of things to do to help reduce your risk of significant incidents that could damage your brand, reputation, revenue, and business valuation. We think it’s better to be proactive than have to react to security events.

We are focusing on Sales and Marketing because security issues with your customers, products, and services will be highly visible and are likely to cause the most damage to your brand and to your business. Data breaches of your customer files or security issues with your products or services can put you out of business fast; and, if they don’t put you out of business, it will take a long time for your business to recover. You may already be experiencing customers who are asking for information about your cyber defenses as they pertain to either a product, service, or your company as a whole. 

This article is directed to small- and mid-sized businesses (SMBs) for several reasons:

SMBs are particularly vulnerable because your tech infrastructure is likely less developed and less secure than your larger counterparts.

SMBs are reportedly hacked more often by foreign agents who will tap into your servers to support their activities inside the U.S. Per the 2019 Verizon Data Breach Report, 43% of breaches involved SMBs. 

SMBs have a difficult time hiring and retaining IT execs with deep technical expertise needed. There’s such a strong demand for security-smart CIOs, or Chief Information Security Officers (CISOs) that SMBs have little ability to compete for the talent required to protect your operations.

The impact to SMBs can be greater than that to larger businesses given the scope and scale of your customer relationships. A cyber incident could lead to immediate loss of customers and revenue. Loss of customers and revenue will also negatively impact the value of your business.

When we talk about go-to-market security, we are referencing all the people, processes, and technology platforms that your business may use for Sales and Marketing activities. Security is not just a tech issue. Your people, and the processes which they follow (or do not follow), can have as much of a negative impact on your business as a failure to protect your technology platforms.

Here’s a list of some of the top risks to consider and for you to proactively manage. For each area, we’ll provide a mini-case study as well as recommendations for what you can do now to decrease your exposure. These examples come from real clients with whom we have worked.

Five Key Areas for You to Proactively Address

You’re going to say: that never happens. But it does—more often than you might believe. Situations where you'll find customer data held remotely are common in SMBs without an implemented and enforced Customer Relationship Management (CRM) system, and in SMBs without well-developed sales processes, policies, and controls.

Here’s a nightmare scenario: your best salesperson leaves your business, copies customer files off their PC on the way out and goes to work for your major competitor. Not only have you lost a high-performer, your competitor gained one—along with all the customer data they absconded. If the word “absconded” is too highfalutin, let’s just say they stole it!

• Adopt a CRM platform, and insist that everyone uses it for prospect and customer data management. The way to enforce this is simple: write it in to every employee’s Condition of Employment and pay sales people on closed deals only when you see the activity in your CRM.  No CRM activity, no commission.
• Force backups to a corporate server of everyone’s PC daily
• Monitor large data downloads
• Develop policies where user access is controlled, monitored and proactively managed, especially in the event of a departure. Focus on your most important systems and data sets. 

Data breaches occur every day, and maybe we are becoming numb to the scope of these breaches. After all, what’s 1,000 records stolen versus 100 million? But for you, it’s not a numbers game. Any breach will make your customers and business partners (and maybe your bank) think twice about continuing to do business with you.

Here’s a nightmare scenario: After all the years you have invested in acquiring and retaining customers, they lose trust in your ability to protect their data and they leave. Since trust is built over time, you won’t be able to restore it quickly.

What can you do to prevent this from happening?

• Educate your employees on security best practices. People are the main source of hacks and are also a main form of protection. Make sure you educate and arm your staff to be your best line of defense.            
• Understand your most critical data assets and system and focus your protection efforts on those. Prioritize systems which are the most important to your business. 
• Evaluate all your platforms for security features when you are selecting vendors.
• Ensure all your systems have all the latest security patches applied and do this at least every week if you need to.
• Consider use of software-as-a-service (SaaS) tech architectures to allow the experts who host applications in the cloud for a living take this responsibility on for you. But make sure you evaluate their security posture and capabilities.

One of us worked for a top 10 bank in the U.S., which allowed third parties to market their products and services to bank customers. This seemed like a great idea because the bank made a commission from third-party sales and after all, the bank was helping customers get access to new innovative products and services. The bank might have thought it was a great business model, but it wasn’t great for bank customers who (1) never gave their permission, or (2) may have given their permission, but forgot they had done it. Public humiliation is bad for your brand.

What could have been done to prevent this from happening?

• Ensure all your customers know exactly how and when you are going to use their information.
• Get their pre-approval in writing and ask for it at least once a year. This is especially important if you fall under any US or International laws like the California Consumer Privacy Act (CCPA) or the EU’s General Data Protection Regulation (GDPR).
• Bring the innovative products and services into your business and take control of their sales as a distributor would.
• Understand the privacy requirements that apply to your business and be prepared with controls to protect that data and processes to respond to incidents if they happen (e.g. a breach response plan).

Who can you trust if not a large successful retailer? You don’t want to be the gateway for someone to get into one of your larger customer’s systems and you don’t want your suppliers to expose you, either.

What can you do to prevent this from happening?

• Understand your customers’ requirements as they relate to data security.  Be a leader and demonstrate your commitment to cyber resiliency. It may be just the differentiator you need!
• Assess your systems for cyber security vulnerabilities and weaknesses. Ensure anything touching your customer that might be at risk now is protected in the near future. This could mean a host of things: locking down access to systems, patching systems, proactively testing those systems to make sure they can’t be hacked. Use cyber security professionals to help you understand, assess, and prioritize. 
• Stay informed about the latest cyber risks, especially in your industry. This type of “threat intel”               can empower you and your leadership team to stay vigilant and prepared to better protect your                  go-to-market assets and strategies. 

An independent audit of the guy’s sales revealed that he had an accomplice in the billing department, who managed to send his customer invoices multiple times (each invoice), and never processed a credit for any of this guy’s customers. Top sales person? No way.

What can you do to prevent this from happening?

• Ensure you have clear job accountabilities and instill a culture of integrity and trust.
• Consider more frequent internal audits as it relates to key controls and data access of users.
• Be aware of behavior which doesn’t seem to “add-up,” like your top salesperson works out twice a day—can he/she really be that productive? Look for these red flags and have policies to act when they are identified. 
• Work with Legal, HR and IT to develop an Insider Threat Program to identify the data that is most important and the employee categories and behaviors that might be an early indicator of threats. 

Bottom Line

Go-to-Market assets and processes are among the most critical to any business. No matter the size of the business, threats to these assets are real. We greatly admire SMB executives. You have a challenge competing with larger players, with more resources. You and your larger competitors all have technology challenges. But if you implement a few key things, you can greatly reduce the risk and the negative impact to your business.  We hope this article has given you practical ideas for leveling the playing field.