This is a true story with details changed to protect the client.
Recently Foresite was engaged to perform a very in-depth review of an organization’s cybersecurity and compliance. We looked at everything from flow of sensitive data throughout the network, technical controls, policies and procedures, and testing the staff for security awareness to gage how susceptible they might be to social engineering attempts through email or telephone phishing.
The good news is that although vulnerabilities were discovered, the client was committed to addressing them. Our report, which included very detailed information on the findings and recommendations, was distributed by the client to other members of their staff to begin the steps for remediation. Several non-technical members of the staff were also given copies of the report by one of the client’s project managers.
What happened next is the cautionary tale. A non-technical staff member decided that in order to win a potential client, he would share the report with them and show them how committed to cybersecurity his organization is. Great idea, right? WRONG!!! The potential client’s Chief Information Security Officer recognized the extremely sensitive nature of the report and was horrified that it was shared outside their potential vendor’s walls. It raised the question of how secure their own information would be if they did business together. A phone call was made to our client’s CIO and damage control was begun to try to salvage the deal.
Treat cybersecurity audits and testing reports as “top secret” information that is shared strictly on a need to know basis. It is best to transmit reports electronically in encrypted form ONLY to those who need to perform remediation work. Many organizations will split up the reports and share only the details each team needs to work on. Foresite provides an executive summary for non-technical staff to understand the findings and recommendations at a high level (without all of the technical detail). Always request an attestation if you would like to show clients, insurers, or other stakeholders proof of your commitment to cybersecurity. An attestation by a third-party will simply confirm what testing was performed, the date, and the rating without any detail that could fall into the wrong hands.
Had this client shared the attestation we provided with their team, rather than the full report, the story would have had a much happier ending. Let’s at least use this opportunity to learn from their mistake.