Imagine receiving a report that your company has been hacked. How do you proceed? The best answer is that you follow an existing procedure or playbook, a RACI matrix, etc.
Step #1: assess the report.
Do you have the resources to do that in-house? What if you outsource your software development? Or outsource implementation of a solution using off-the-shelf software or cloud services? What if relevant data, including sensitive customer information, needs to be reviewed in order to complete the assessment?
Can you just send it to the experts who are ready to help you?
Systematic assessment of security issues frequently depends on getting enough data and expertise together, and that invariably requires collaboration – with software, network or solution vendors, white hat security consultants, attorneys, IP specialists, even government regulators. The risk is that by giving them access to the data they need to investigate, you expose yourself to their vulnerabilities.
If you send a software vendor your customer data, even to review a severe breach like Marriott’s, and they are in turn hacked, you have liability – and severe reputational damage.
Think about how email and attachments linger in email systems, and email archiving systems. And backups. All those backups.
When you share data during the normal course of business, you’ve likely got procedures in place to protect the exchange; you may vet or even onboard a strategic partner who is part of your information supply chain. Applying the same approach is unlikely to work when you need to engage with the fast-moving cyber security eco-system. And it may still not be enough!
If you choose not to collaborate and keep it all in house, your ability to cope, respond, and avoid a worse incident in future is going to be tested. And the cost of incidents just keeps going up.
Tools like e-Share Trusted Sharing make it possible to provide third parties with read-only access, limit the sharing time, and have full auditability and trace-ability. Without software downloads. And without vetting and onboarding … everyone.