Can an RFP put your company at risk?

… it might…

When you put out an RFP Bad Actors can see it

 

It’s almost an invitation to them to find all the holes in your systems before the experts come in and plug them.

This isn’t hyperbole.

I’ve seen a Cybersecurity RFP go public, be cancelled, and exactly 6 days after the Public Notice of Cancellation went out, they were hit by a cyber attack that crippled the organization for over a month.

This was May of 2024. It took 6 weeks before they could even cut a checks again due to systems being down. Can your business survive without paying employees and vendors for 6 weeks?

What if all of your websites were down across the entire umbrella of organizations?

 

I am not a big believer of coincidence. Could Bad Actors build a Webcrawler that looks for open cybersecurity RFPs?

Of course!

Was that what happened here?

Well, unfortunately I can’t interview the Bad Actors who carried this out, but I must assume something similar happened. The universe doesn’t have that well developed a sense of humor.

 

So what can you do?

Well most people who are doing RFPs are required to for legal reasons… so you can’t NOT do them which would be the first answer.

 

But If you CAN avoid the Public RFP process…

1-Attend conferences. Your corporation might pay for your travel, or as a business/ IT leader some conferences will pay for you to attend. Speak with vendors and find out what is best for you. Shop the vendors and hold a "private RFP" by working with 2 or 3 that look ato be best in class.
2-Ask for referrals. Talk to your friends in the industry, chances are they have the same problems and can recommend solutions/vendors
3-Post on LinkedIn, yes you will get bombarded with vendors… but isn’t that what you’re trying to do?

 

 

If you ARE required to do the Public RFP process…

  • Keep descriptions as general as possible until you are under NDAs with potential vendors
  • Communicate with vendors in a secure way (potentially with encryption) about specifics of what you are trying to accomplish
  • Review internal security, training, protocols with your team. Example- make sure no one clicks an outbound link to "review a potential vendor" from a shady looking email domain.

 

Good luck out there!