I’m proud to say that I was deeply involved in the Verizon Data Breach Investigations Report (DBIR) during my Verizon tenure. The DBIR is the definitive study in the industry regarding the security landscape and includes incidents, responses, and ongoing threats.
This 2022 edition, which came out earlier this year, got me thinking about how interconnected we all are now that every company has a vast, varied ecosystem mucking about in numerous parts and pieces of their data and systems. A famous Harry Potter quote, spoken, as Potter geeks might remember, by head wizard Dumbledore, came to mind: “We are only as strong as we are united, as weak as we are divided.” This quote could be our industry anthem as we contemplate how to move forward in a world of increasing third-party-created risk without sacrificing the partnerships that help our businesses grow.
Let’s look at a few facts from this year’s DBIR that can help us evaluate risk in partnership strategy.
Ransomware was up again with an almost 13% increase, representing a rise as large as the last five years increase combined. This means that, at any given moment, not only is your data at risk, but now every firm you partner with is a target and thus a risk to your growth efforts.
Sure, that snazzy services agreement you have everyone sign says that they have a security requirement, but the reality is when a ransomware incident happens, neither party is thinking about that paperwork. Instead, they are thinking about how they recover, get their data or systems back, get back online, etc.
Too few partnerships run scenarios like a ransomware simulation across their partnerships to see what would happen or build robust plans to respond to a breach. Such a simulation is an important, too often ignored element in a partnering plan. When was the last time you simulated a multicompany breach with your ecosystem? If it hasn’t been recently, then consider performing this exercise.
Join us on February 23, 2023, for Partners Ecosystem Week, a digital event analyzing the business and IT imperatives around cloud, AI, automation, and cybersecurity ecosystems that define the future of partnerships.
The Human Element
The human element continues to reign supreme in the 2022 DBIR report, which revealed that 82% of breaches involved the human element. While that’s not necessarily surprising as this trend has been an issue for years, it is nonetheless concerning for your partnering stability and long-term survivability. Think of the weakest partnership link you might have. What if its people are clicking on phishing emails and providing access to your data that’s being used in the partnership? Their risk is now your risk.
This human element goes far beyond phishing, which is generally a result of poor training and over-trusting behavior on the part of employees. For many years, enterprises believed that there was a high level of internal bad actors in their firms, but the data would say the opposite. Three of four data compromises were from external sources. When we looked at the data in the DBIR, business partners were involved in 39 percent of the data breaches handled by their investigators. This risk is another reason why your partnering agreements, audits, simulations, increased data controls, and use of tools like AI (artificial intelligence) to limit risk are all part of a comprehensive risk plan needed for all partnerships in your business.
Partner Malware and Software Updates
Finally, this year’s DBIR is also notable from a partnering lens as it is the first year that it has included partner malware and software updates among the top risk vectors. As we become increasingly dependent on third-party software and see big incidents like those that happened in the past year affecting the supply chain, we begin to see a new threat landscape for our partnerships. While partnerships are the key to success in today’s distributed enterprises, hackers and bad actors take advantage of trends like partnering to target our most precious assets.
Being aware of the threat and reading great reports like the DBIR is a start to helping limit our risks, but it’s not enough. Firms need to update and evolve their partnership risk policies, scorecards, programs, data, and threat management to be more proactive and focus on working in tandem to limit access and risk across both/all enterprises in the ecosystem. Our increasingly connected world will be powered by enterprise partnerships that deliver what customers want, when they want it, and where they want it. It’s an approach that has security risks, and we must become more aggressive in handling those risks.
Firms must move beyond insurance, data storage, and training requirements in partnering agreements and incorporate holistic risk management programs. These programs will better manage the risk from start to breach and beyond. This is how we make progress with partnerships in the future and avoid allowing security risks to impact our healthy, profitable future together.
Want more tech insights for the top execs? Subscribe to the CXO channel: