Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Tech Insight: What To Do When Your Business Partner Is Breached

Vendors and contractors play an important role in your business. But what happens when a partner’s systems are compromised? Here are a few tips

A breach in your own organization is bad enough, but a breach at a third-party vendor or contractor that is tightly connected to your organization can be even more frustrating. The key to minimizing the chaos is to work closely with your vendors, contractors, and service providers so that you’ll be able to respond quickly when a compromise happens.

When a compromise occurs at a partner site, the first step is to understand what occurred, assess potential damage, and set a game plan. Verbally discuss the incident with the partner, ask as many questions as you can, and instruct them to send you their official statement in writing. This information will help you craft your own organization’s statement and begin documentation.

During this initial conversation, be sure to document all of the facts as given to you. Email your notes to the vendor and request review and confirmation of accuracy. As the incident progresses, your organization will want as much information as possible to address any questions that arise from other partners, customers, or internal staff. It’s important to get these answers quickly -- and in writing -- for future reference if the matter escalates and legal action is required.

As you’re starting to piece together what occurred, it’s time to understand your organization’s exposure. You’ll need to fully understand what service the partner provides to your organization, the data it possesses, and how you are connected to each other. A breach of a third-party email provider has a different impact than breach of a two-factor authentication vendor. Understanding the total exposure will help you define the risk associated with the breach, the actions you must take, and how fast you must move.

Once the risk is identified, continue to communicate with your vendor and discuss your rights. Continuous communication is critical -- you want your organization to stay top of mind when hundreds of clients begin calling, and that you will get high-priority notification when something new is known. Don’t give up if you leave messages and emails that go unreturned. Your persistence will pay off, just as it does for the salesperson who leaves you 22 messages.

Once you’re in contact, discuss your rights. Hopefully, buried in the contract with your partner, there is language that outlines your rights in the case of a breach or other security incident. These clauses typically include timing for notification of the breach, the right to audit after a security incident, financial penalties, and the right to cancel the contract. Understand these well and use them to your advantage. In most cases, it won’t be necessary to be heavy-handed -- it’s in everyone’s best interest to cooperate and resolve the matter once it has been disclosed. But knowing your rights and options will give you some alternatives if they are needed.

[Sensitive company data is often leaked via Google, Bing, and other search engines -- find it before the bad guys can. See Analyzing Data To Pinpoint Rogue Insiders.]

As more information becomes known, continue to evaluate the risk to your organization. You need as much information as possible before you notify affected parties. This can be tricky -- some in your organization will want to hide it since it wasn’t a breach of your systems, but others will want to send out notifications as soon as possible. Full disclosure is usually the right thing to do -- no matter where the breach occurred -- and the breached partner generally should issue a disclosure, as well.

The trickiest part is timing. Disclose too early and you risk communicating bad or incomplete information. Wait too long and the public will balk at you waiting so long. Typically, it’s a good idea to disclose as early as you can, as long as there’s enough information to identify affected parties and the data affected. This can provide the basis for later communications.

Once the dust has settled and the partner has fixed the immediate problems, it’s time to make sure this doesn’t happen again. Work with the vendor to understand how it’ll prevent this issue from occurring again, how it’ll assess its systems for other potential problems, and how you’ll be informed of the assessment results. Use this incident to insert your organization into your partner’s security processes, and require annual assessment reports or gain the right to audit their operations. At this point, you have some leverage -- use it to your advantage.

Partners are important to your business, but they can also be a liability. Implementing partner risk reviews and vendor management processes can reduce risk and help your organization identify vendors that are less likely to fall victim to a breach. No partner is impenetrable. Knowing the risk associated with each partner, having good communication, and working together to resolve a breach helps everyone -- including customers and other third parties.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-01
ZTE's PON terminal product is impacted by the access control vulnerability. Due to the system not performing correct access control on some program interfaces, an attacker could use this vulnerability to tamper with the program interface parameters to perform unauthenticated operations. This affects...
PUBLISHED: 2020-06-01
reel through 0.6.1 allows Request Smuggling attacks due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as val...
PUBLISHED: 2020-06-01
The file editing functionality in the Atlassian Companion App before version 1.0.0 allows local attackers to have the app run a different executable in place of the app's cmd.exe via a untrusted search path vulnerability.
PUBLISHED: 2020-06-01
The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary .exe files via a Protection Mechanism Failure.
PUBLISHED: 2020-06-01
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.