By Kelly White, Founder and CEO, RiskRecon
A public testimonial from a satisfied customer is marketing gold for most any business. Who isn’t proud to display the logos of respected brands on your customer list, or to publish case studies about the great work you did for them? When I was a CISO of a top-30 financial institution, vendors frequently offered us financial incentives for permission to leverage our brand. There’s also a human element – people like helping other people. In the digital age where a negative customer experience can spread like wildfire through social channels, positive testaments are more important than ever.
On the surface, allowing a vendor who possesses any of your data to use your logo (according to your brand standards) seems risk-free. Unfortunately it isn't. To understand why, consider two primary and increasingly common risk scenarios: data breach incident handling and attack targeting.
Losing control over breach incident handling
Breaches have been filling headlines for the past several years. While breaches are very serious, such stories also make juicy news. A case in point: the focused search result count for the recent 7.ai chat application vendor breach reached 19,800! But the relatively unknown 7.ai is not who makes this story so attention-getting; it’s the household-name, Fortune 500 companies who lost their data from a breach at a tech firm.
Enterprising journalists can turn an otherwise uninteresting breach event into a headline article simply by searching the breached entity’s site for customer references and case studies. In the case of 7.ai, CNET identified potentially impacted customers through a rather obscure 7.ai business profile that named seven customers. It didn’t take much to connect the dots.
If journalists are able to discover your relationship with a breached vendor, you face the risk of the media informing your customers they’ve been breached instead of you telling them – and your brand takes the hit. In many cases, not all customers of a breached vendor are affected, so why risk upsetting any more than necessary? Not all of 7.ai’s customers were impacted by their breach, so several of those ‘potentially’ impacted and cited by CNET may have been in the clear. But once the word is out, it’s too late. Unnecessary cycles get spent on damage control for what could have been contained.
Targeting you by targeting your vendor
Sharing data with third parties in your value chain is now common practice. It also creates another way for attackers to get at that data. For example, assume that you’re a large regional healthcare provider. You own volumes of sensitive personal health information (PHI); your IT department uses a startup health data analytics company to analyze it so your doctors can better diagnose patients. The relationship is a huge success. Your CIO authorizes the publishing of your logo on the vendor’s site, and even provides a quote proclaiming the value of their services. Everybody’s happy.
Now also assume that miscreants want at your PHI data. They case your enterprise and determine there is no easy path into your environment. But through some Google searching, they quickly find your logo on the website of your health analytics vendor. Pivoting their resources, they target the vendor instead of you. Same data, different location. By being a public customer reference, you've unwittingly informed bad actors of additional asset locations, expanding your attack surface area.
It’s an unfortunate conundrum. Providing testimonials and references is a time-honored tradition, an important tool to help businesses grow, and in many ways a gesture that helps keeps the ‘human’ in business. But we are living in a changing age that introduces new layers of risk. Public testimonials now count among them.
Think twice before being a public customer reference. Consider, and even calculate, your risk exposure in the event the vendor is breached. Is it worth the incentives they offer? In most cases, probably not. Just ask the customers of 7.ai.