Understand that breaches happen to everyone, even with the best security. Encourage open and honest communication about security incidents to improve overall security posture
What do you do after a vendor or partner suffers a breach? After your heart skips a beat (or two), this is a common question you might ask.
As a recent study indicates, over half of organizations have been victims of a third-party breach over the past two years. Unfortunately, the overwhelming reaction to such an incident is to ostracize the victim. Up to 83% of consumers admit that they pause or end their spending with an organization after an incident. While understandable, that reaction misses the opportunity the industry has to learn and grow together after details of an incident become available.
Breaches continue to happen — even after organizations have a commercially reasonable security program. No one is impenetrable. One key aspect to consider when evaluating potential partners and vendors is understanding their capability of responding effectively to and willingness to be transparent when a security incident occurs.
Punishing a partner or vendor for suffering a breach only incentivizes organizations to cover up their security incidents. Instead, today’s businesses must foster an environment of understanding, transparency, and information sharing. Embracing these values will help bolster security practices across the economic landscape.
The shift away from blame
The shift toward understanding is already happening on an employee level. Increasingly, employees are no longer automatically vilified for accidentally clicking on a phishing link or responding to a spoofed email. Security professionals understand that attack tactics like phishing are a numbers game: If attackers target enough people, the odds are good that someone will eventually take the bait. Phishing attacks are only getting craftier and more believable. It’s only natural to acknowledge the reality human trust — and human error — play in our risk landscape.
If an employee living in fear of punishment or reprisal accidentally clicks a phishing link, that employee may decide to do everything possible to cover it up and pretend it never happened. On the other hand, a business that encourages (and even celebrates) self-reporting of those errors and greets them with understanding will find that employees are much more willing to acknowledge when they have made a mistake and learn from it.
This doesn’t eliminate the need to train employees to recognize attacks — it acknowledges that the sooner an organization knows about a potential breach, the sooner it can do something about it. IBM’s 2023 Cost of a Data Breach Report found that early detection is one of the most important factors limiting the impact of a breach. Combined with the implementation of technology that can help stop these phishing emails from reaching employee inboxes in the first place, these efforts can make a real difference.
Understanding at scale
While businesses have found success implementing those policies on an individual scale, they have not generally applied that same posture to partners, vendors, and other third parties. A breach can happen to any organization, including those that have taken all commercially reasonable precautions — and understanding whether those precautions have been taken should be a standard part of any business’s vetting process. Jettisoning a good and reliable partner because of an attack may ultimately bring more risks, including operational challenges.
Of course, it’s important to recognize the difference between a business that unexpectedly suffers a breach and engages in an ongoing pattern of risky or negligent behavior (or seeks to cover up or retract details surrounding a breach actively). However, the advent of compliance frameworks, security questionnaires and benchmarks, and more well-rounded security programs has made assessing a potential partner’s breach readiness much easier.
If a breach occurs, it’s also important to know what happened and how it was dealt with. How businesses communicate about cyber incidents plays a key part in assessing and maintaining trust within the relationship.
Just as employees are now encouraged to self-report potential issues, encouraging businesses to be upfront about their challenges wouldn’t just make it easier for businesses to assess their partners’ security capabilities — it would help lessen the impact of future breaches. The more information security teams have to work with regarding attack tactics, techniques and procedures (TTPs), the better the odds they will be able to detect, recognize and remediate them when facing a similar attack.
Rather than punishing vendors for being victimized by attackers, we should encourage them to be more open, honest, transparent and vulnerable — in the human sense.
Envisioning a secure and transparent future
Adopting a more understanding attitude toward breaches doesn’t mean organizations should stop doing their due diligence. On the contrary, businesses should always verify the compliance status of their partners and vendors, and security questionnaires and security reports and attestations will continue to play an important role in confirming that organizations are being careful with their data.
But the truth is, even an organization that has done everything right can still suffer a breach. It’s time to stop victim blaming. It’s time to treat each other the same way we treat employees who act in good faith: With the understanding that no one is perfect and an acknowledgment that embracing honesty and transparency will benefit everyone in the long run.
