Vendor Outreach Isn’t Always the Answer When a High-Profile Security Event Hits Your Cyber Ecosystem

Written by: Bob Maley

Imagine a scenario in which you arrive home following a brief stint out of town, only to discover that someone has broken into your home. After the cops take your statement, you begin receiving dozens of calls from neighbors asking not how you’re coping but if the burglar now has keys to their homes and what you’re going to do about it.

At best, you might be a little annoyed by these calls. At worst, your relationship with your neighbors might be irreparably damaged.

This same scenario plays out time and time again when high-profile events rock cyber ecosystems: Companies reach out to their vendors in a panic, demanding answers and security updates. Meanwhile, the vendor is fielding hundreds to thousands of customer calls while simultaneously working to mitigate any in-house security issues.

When a high-profile security event happens, it can be tempting to be that anxious neighbor. However, this approach risks damaging important vendor relationships and can leave your company vulnerable while waiting for an answer. Instead, companies should develop more agile response plans in the event of a high-profile security incident.

Vendor Outreach Should Be Targeted and Strategic

Not only is it distracting for vendors to receive dozens, hundreds, or even thousands of messages in the event of a breach — but sending one of those messages and waiting for a response can leave your own company vulnerable to attack.

A company experiencing a breach will be on high alert, doing everything it can to secure its systems. Given the choice to mitigate an attack or respond to thousands of customer inquiries about the attack, security teams are going to choose the former. If you’re waiting around for a response that’s likely not coming, you risk wasting time that could be spent better securing your own systems.

Consider also many security teams’ go-to method for vendor outreach: the questionnaire. Questionnaires can be tedious and time-intensive for vendors to fill out — and for your team to synthesize. In the event that a vendor does have time to respond to your inquiries, a questionnaire is unlikely the most effective way to gather the information you need.

To preserve your relationships with vendors, avoid adding to the deluge in their inboxes and voicemails during a time of crisis. Instead, determine first if outreach is warranted or if there are other ways you can mitigate the impacts of a high-profile event in your cyber ecosystem.

What to Consider Instead of Vendor Outreach

There are several steps your team can take before reaching out to a vendor about a high-profile security event. Here are a few best practices to follow to minimize your vendor outreach:

Have a Backup Plan Ready for Critical Vendors

Your team should create a backup plan should your most critical vendors become compromised. Your most critical vendors are likely those with significant access to your internal systems and/or sensitive data — in other words, those vendors that pose the greatest risk to your business if they are compromised. Identify a backup plan for each of these vendors in the case of an attack, such as switching to a different (vetted) provider.’

Don’t Dismiss a Vendor’s Status Page

Especially when it comes to large or popular software vendors, the easiest way to communicate with customers is en masse. See if impacted vendors have a status page where they’re sharing updates and monitor it regularly. This might be the most efficient way to gather timely information.

Review Your Vendor Outreach Checklist

Before contacting vendors, your team should ask itself a series of questions to ensure you’re reaching out to the right people, know what information you need to gather, and more. A sample of these questions include:

• Why do we think this specific vendor is susceptible to attack?
• In what ways will this vendor being breached impact our own security?
• What other steps can we take to protect ourselves before contacting a vendor?

When to Reach Out to a Vendor Following a High-Profile Security Event

In rare instances, you may exhaust all your options and realize that getting in touch with an impacted vendor is necessary following a high-profile security event. In these cases, it’s best to go into the conversation prepared: Know exactly what information you need from that vendor and make sure you lead with empathy.