The Serious Business Blog

Welcome to the Serious Business blog by the team at Crecera. If you hadn't noticed, we're serious about business and creating resources and educational products to help support entrepreneurs.

From small business to trusted partner: How to pass cybersecurity checks and win contracts

cyber security cyber security checks entrepreneur online security small busincess cyber security small business May 08, 2025
Small business cyber security checks
By Rafael Chiang

So, you made it. You’re ready to pitch your product or service to a large company. The value is clear, the conversations are going well, and you're almost at the signing stage... then the deal stalls.

Their compliance or security team jumps in and asks you to complete a vendor assessment as part of their due diligence.

I’ve seen it happen too many times. The business sponsor is excited to bring a new vendor onboard, then everything stops because the vendor can’t get through security due diligence.

Sometimes, the deal’s dead right there. But that doesn't have to be you. In this article, I’ll walk through what this process looks like from the inside, and how you can be better prepared to clear the hurdle.

Why this happens:

As someone who’s responsible for cybersecurity and risk at an enterprise level, my job is to ensure that every vendor we bring into our environment is secure. I’ve assessed small businesses and startups with incredible ideas, but we had to walk away because they couldn’t show basic security controls, even if we genuinely wanted to work with them. That’s because even one weak link in the supply chain can introduce vulnerabilities to the entire organisation.

That scrutiny applies to everyone: from startups to multinational partners. We’re not here to block deals - we’re here to manage risk. But many small businesses hit roadblocks due to how they approach (or don’t approach) security.

Common vendor response mistakes:

  1. Not responding to the security questionnaire at all. This raises immediate red flags. It suggests that security is either not a priority or not understood, and that’s a risk.
  2. Using generic liability disclaimers. Statements like “No system is 100% secure. When you use our systems, you do so at your own risk.” don’t help. They may be legally safe, but operationally useless. What we want to know is what controls you have in place, not just whether you understand risk, but how you're actively managing it.
  3. Assuming your cloud provider covers everything. Saying “We use Gmail/AWS/Microsoft/Azure, so we’re secure” tells us you haven’t understood the shared responsibility model. Security is a co-owned duty, and we expect you to secure your part of the stack.

What you can do instead:

If you're a small business, don’t wait until you’re mid-deal to think about cybersecurity. A few foundational actions can show us you're serious and responsible. Here’s what makes a good impression:

  • Use Multi-Factor Authentication (MFA) across all internal and external systems. Implement a password manager for bonus points.
  • Limit personal and sensitive data collection, and clearly explain your data minimisation practices. If you don't need the data, don't keep it.
  • Secure endpoints (e.g. laptops, phones) with basic device security management, including a reputable and up-to-date antivirus, patching software, and application controls.
  • Be ready to describe your incident response process, even if it’s lightweight.
  • Demonstrate your data protection practices, including encryption for data in transit and at rest.
  • Show a commitment to closing identified security gaps, with clear timelines and ownership. Think of it as an investment that helps you win more business.
  • Follow a formal security program like the Australian Cyber Security Centre Essential Eight, which offers a practical baseline to defend against common threats. Even implementing a few of the controls, like patching, restricting admin access, and enforcing MFA, will lift your security maturity.

Small businesses bring agility, innovation, and grit. But trust and security must come with it. If you can show you take security seriously (even with limited resources) you’ll not only get through vendor assessments, you’ll earn long-term trust. Start with one improvement this week.

Let us know what improvement you're going to commit to making this week in the comments below. 

About the author:

Rafael Chiang
Global Head of Information Security | Blockchain | DeFi

Rafael Chiang is an information security strategist who has more than 20 years global experience in the industry. Dedicated to protecting business brand and values, enable and support business strategies and digital transformation, Rafael works to reduce risk to align with appetite and increase cyber security capabilities.

THE SERIOUS BUSINESS NEWSLETTER

Want helpful business advice straight to your inbox?

Sign up to our Serious Business eNewsletter.

You're safe with us. We'll never spam you or sell your contact info.