This article has originally been written in french and then translated with tools. The translation should be on point, but please forgive us if some parts are not perfect.
Anything to do with risk management is often seen as an expense for a company. Indeed, unlike investing in business development or marketing tools, most entrepreneurs fail to see the impact that an investment in cybersecurity can have on their business development.
However, with the right approach, carrying out a penetration test, for example, can become a major asset in acquiring new customers. In this article, we’ll show you how to get a return on your investment by carrying out a penetration test on your product.
If you’re developing an app, chances are you’ll need investment to finance the development of your business and to scale. You’ve no doubt spent many hours drawing up your business plan, making the case for your company’s great potential, and your market research proves that your product has a large pool of buyers. Your company is a great business opportunity for investors, good job!
One aspect often overlooked by startups is the level of security of their product. Some entrepreneurs have been caught out during due diligence and even lost investors, because they couldn’t prove that their application was secure.
If we’re talking about a SaaS product, it’s available on the Internet. It needs to be available at all times, it needs to protect its customers’ information, and the information it holds must not be modified (like changing the price from $1,000 to $1, for example). Imagine if your e-commerce platform was hacked on Black Friday? The lost sales will be a major blow to your finances. Or you’ve developed an application for recruitment professionals to help them manage job applications: imagine if all those people’s personal details were stolen?
The impact of poor product security can be devastating for your business. Investors know this, and they want guarantees. Carrying out a penetration test will enable you to identify any security flaws in your product, and thus correct them. Even if everything isn’t perfect, taking this aspect seriously and showing a good level of maturity will reassure investors and help you to convince them. They know that your financial capacity at this stage won’t necessarily allow you to unveil a solid security application. It’s quite possible that investors will be willing to help you finance security interventions later on. It’s a win-win situation.
More concretely, if investing between $7,500 and $20,000 (average price for penetration testing of a complex application) enables you to receive several hundred thousand in investment, the ROI is excellent.
The reasons why it’s important to secure your product remain the same as explained in the last section; we won’t make you read the same thing twice 🙂
The stakes are a little different, however. You’re not trying to convince someone that your business is a good investment, but you have to prove to potential customers that doing business with you isn’t a high risk.
Major corporations and government organizations have put in place extensive security measures to protect their data and that of their customers. Yet we often see their names in the press in the case of cybersecurity incidents. The adage “let’s talk trash, but let’s talk about it” doesn’t really apply in these situations… This bad press never does any good for companies.
In some cases, the big company has nothing to do with the cyber-incident, but it’s their name that ends up on the front page:
With some, the exercise is an ordeal for small businesses, as they require mandatory security certifications such as SOC 2 Type II or ISO27001. Obtaining these certifications is a complex and costly exercise. If your business model relies on acquiring this type of customer, we advise you to look at the requirements for these certifications and start ticking the boxes quickly. Given the time and financial investment required, it can easily take more than a year.
There are also more specific certifications; for example, the MSSS (Ministère de la Santé et des Services Sociaux) has introduced the TGV standard, a cybersecurity certification required in many cases to do business with them.
In other cases, the requirements are less structured, but you will have to meet a large number of safety criteria to qualify as a supplier.
By performing penetration tests and monitoring your vulnerabilities on a regular basis, you’ll increase your chances of reaching this clientele. The investment required in cybersecurity may seem substantial, but the value of contracts with these organizations is generally well worth the investment.
You may already be in a mature market, and your competitors may be displaying their cybersecurity certifications on their websites.
However, many markets are still in their early stages regarding cybersecurity, and a large proportion of companies do not yet attach sufficient importance to the security of their products and data. This is where you have a card to play.
Although it’s still a daily battle, people are becoming increasingly aware of security issues. Whether your business is B-to-C or B-to-B, you’ll be interacting with people who want guarantees about the security of their data (and rightly so).
(By the way, challenging your suppliers’ level of security should be part of your procurement practices, but we digress… 😬)
At Yack, we provide you with an executive document that you can rightly share with your customers. They’ll have enough information to reassure them, but we keep the details confidential of course (sharing details of your vulnerabilities = bad idea).
There are more cases, of course, but these 3 categories cover most of the arguments for understanding the issues. Generally speaking, the return on investment is really good.
Of course, we haven’t really talked about it, because these are not dollars to “earn”, but carrying out this type of test above all enables you to avoid substantial financial losses: missed revenues, costs of managing the security incident, legal fees, fines in certain cases if personal information were to be stolen, etc.
At Yack, we understand that your number 1 priority is to keep your business running. If you recognize yourself in any of these scenarios, come and talk to us. We won’t just hack you (with your permission, of course 🤓 ), we’ll help you choose the right approach and get the best return on investment (ROI).
Cyndie & Nicholas