Incident detection and response can allow for fast finding and triage of events to determine if there is malicious intent behind certain actions that take place on the network. When corporations work with third party vendors or acquire attributes of other businesses, there must exist some level of agreement to cooperate between the businesses. Some companies are able to respond better to incidents due to many factors and this should be taken into account when agreeing to work together. There should be some written agreement between the companies as to what access will be given to the different companies or reporting.
So for an acquisition, there may be some agreement that the company acquiring will be able to have visibility into the other company’s network and devices on the network. However, many third party agreements do not have integration between the networks, so instead there may be requirements that the company must report to each other known incidents they find or there Intrusion Detection System (IDS) must have certain levels met or response times to alerts. Business partners must have a defined agreement to be able to trust these partners as to not be attack vectors and also have a value of image, if one is compromised then the other may be pulled in whether it was actually their side or not.
I do not believe that small businesses must have a mature cyber incident detection and response capabilities within their own organization. However, I am of the opinion that if small companies want to work with these large companies that they should have some form of incident response that allows for finding potential compromises in their network, whether internal or third party. Then they should agree to having the compromise fixed and reporting that to the larger company. Additionally, the larger company should have some way to support the smaller company if requested and denoted in their contract of agreement. I believe that cyber is an area that changes rapidly and many small businesses cannot afford to have a full team dedicated to this area. However, these smaller companies still need to have something in place to account for these potential breaches.
References
United States Senate Committee on Commerce, Science, Transportation. A “Kill Chain” Analysis of the 2013 Target Data Breach. 2014