By Wade Baker

After a long working session on the “Data Breach Investigations Report”, my co-authors and I decided a lunch break was in order. Mealtime conversation meandered through a diverse range of topics and eventually settled on the recent movie “No Country for Old Men.” Dave, a bit more of film connoisseur than Andrew or I, gave it five stars. Although I appreciated the cinematography and acting, I didn’t think it lived up to all the hype it received. I believe Andrew’s sentiments were similar. We did, however, unanimously agree on one thing: if a stranger walks up to you with a tank of compressed air and tries to press a strange metal apparatus to your forehead, it’s best not to just stare blankly and let that happen.

Although they rarely look so freakishly suspicious, findings from the report remind us that a dose of healthy caution when dealing with business partners might not be a bad idea either. Of the hundreds of breaches investigated, 39% stemmed from partners of the victim organization. Some involved partners acting maliciously, but a large proportion of these involved shared connections and systems hijacked by an external entity. Partner-facing security measures were often non-existent.

Though we’ve long recognized the significance of information risk in the extended enterprise, these findings were eye-opening and fostered a lot of internal discussion. We’d like to open up that discussion to the public. Do these findings sync with your experience? Are partners really the biggest risk (see pg 11 in the report)? How should we balance the business benefits of partnering with the need to secure sensitive data? Is this a dichotomy that cannot be resolved? How much should we trust partners? Should they be treated like outsiders, insiders, or something in-between? Where is the equilibrium between 3,000 question, month-long assessments of a partner’s security practices and complete ignorance? Care to join the discussion?

Tags: Data Breach Report, extended enterprise, outsourcing, Partners

This entry was posted on Thursday, June 19th, 2008 at 8:17 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.