Breaches happen: It’s time to stop playing the blame game and start learning together

What do you do after a vendor or partner suffers a breach? After your heart skips a beat (or two), this is a common question you might ask.  

As a recent study indicates, more than half of all organizations have been the victim of a third-party breach over the past two years. Unfortunately, the overwhelming reaction to such an incident is to ostracize the victim. In fact, up to 83% of consumers admit that they pause or end their spending with an organization after an incident. While understandable, that reaction misses the opportunity the industry has to learn and grow together after details of an incident become available. 

Breaches continue to happen — even after organizations have a commercially reasonable security program in place. No one is impenetrable. One key aspect to consider when evaluating potential partners and vendors is understanding their capability of responding effectively to and willingness to be transparent when a security incident occurs.

Punishing a partner or vendor for suffering a breach only continues to incentivize organizations to cover up their security incidents. Instead, today’s businesses need to foster an environment of understanding, transparency and information sharing. Embracing these values will help bolster security practices across the economic landscape. 

The shift away from blame

The shift toward understanding is already happening on an employee level. Increasingly, employees are no longer automatically vilified for accidentally clicking on a phishing link or responding to a spoofed email. Security professionals understand that attack tactics like phishing are a numbers game: If attackers target enough people, the odds are good that someone will eventually take the bait. Phishing attacks are only getting craftier and more believable. It’s only natural to acknowledge the reality human trust — and human error — play in our risk landscape. 

If an employee living in fear of punishment or reprisal accidentally clicks a phishing link, that employee may decide to do everything possible to cover it up and pretend it never happened. On the other hand, a business that encourages (and even celebrates) self-reporting of those errors and greets them with understanding will find that employees are much more willing to acknowledge when they have made a mistake and learn from it.  

This doesn’t eliminate the need to train employees to recognize attacks — it acknowledges the reality that the sooner an organization knows about a potential breach, the sooner they can do something about it. In fact, IBM’s 2023 Cost of a Data Breach Report found that early detection is one of the most important factors that can limit the impact of a breach. Combined with the implementation of technology that can help stop these phishing emails from reaching employee inboxes in the first place, these efforts can make a real difference. 

Understanding at scale

While businesses have found success implementing those policies on an individual scale, they have not generally applied that same posture to partners, vendors and other third parties. A breach can happen to any organization, including those that have taken all commercially reasonable precautions — and understand whether those precautions have been taken should be a standard part of any business’s vetting process. Jettisoning a good and reliable partner because of an attack may ultimately bring on more risks, including operational challenges.  

Of course, it’s important to recognize the difference between a business that suffers a breach unexpectedly and a business that engages in an ongoing pattern of risky or negligent behavior (or seeks to actively cover up or retract details surrounding a breach). But the advent of compliance frameworks, security questionnaires and benchmarks and more well-rounded security programs has made it much easier to assess a potential partner’s breach readiness.

That said, if a breach does occur, it’s also important to know what happened and how it was dealt with. How businesses choose to communicate about cyber incidents plays a key part in assessing and maintaining trust within the relationship. 

Just as employees are now encouraged to self-report potential issues, encouraging businesses to be upfront about their challenges wouldn’t just make it easier for businesses to assess their partners’ security capabilities — it would help lessen the impact of future breaches. The more information security teams have to work with regarding attack tactics, techniques and procedures (TTPs), the better the odds they will be able to detect, recognize and remediate them when facing a similar attack themselves.

Rather than punishing vendors for being victimized by attackers, we should be encouraging them to be more open, honest, transparent and vulnerable — in the human sense. 

Envisioning a secure and transparent future

Adopting a more understanding attitude toward breaches doesn’t mean organizations should stop doing their due diligence. On the contrary, businesses should always verify the compliance status of their partners and vendors, and security questionnaires and security reports and attestations will continue to play an important role in confirming that organizations are being careful with their data.

But the truth is, even an organization that has done everything right can still suffer a breach. It’s time to stop victim blaming. It’s time to treat each other the same way we treat employees who act in good faith: With the understanding that no one is perfect and an acknowledgement that embracing honesty and transparency will benefit everyone in the long run.

Matt Hillary is CISO of Drata.