Opinion: You're only as secure as your business partners

It pays to check out your partners' security practices, says Roger A Grimes

The successful hack attacks on RSA and Sony have served as wake-up calls to the world's CEOs. Both attacks, aptly dubbed "reputational events," have resulted in hundreds of millions -- potentially billions -- of dollars in lost revenue. Restoring a company's good reputation after these types of incidents is not easy; sometimes it's impossible. Almost every company could be owned just as RSA and Sony were, even firms that embrace the security best practices I've advocated for the past 20 years, including better end-user education, faster and more inclusive patching, stronger authentication, improved monitoring, and quicker response to incidents. Of course, my regular readers have been taken all these important measures for a long time -- but how about your partners? If they haven't, they might well be putting your organization at risk. Most companies have a few to dozens of interconnected partners and vendors that have access, sometimes at the admin level, to their network and computers. By that definition, any vendor's network should be considered an extension of your own. Thus, if I'm a dedicated hacker and I know you have lots of vendors and partners, I'm attacking the weakest link in the chain. The dedicated RSA attackers compromised the company to ultimately hack its customers. Many of us have had our networks attacked by malware due to visiting vendor's infected laptop or USB key. Much of the data lost over the past decade can be traced back to the partners who were entrusted to safeguard the data. My first word of advice: Ask your partners and vendors whether they maintain the same level of security as you do, if not better. More important, make them prove it. Don't simply ask them to read your security policies and agree to abide by them, especially not just as a paperwork formality that everyone must undergo in order to work together. A good starting point is to interview the vendor or partner and ask about the company's security policies, computers, and networks. An interview is no substitute for auditing, but as long as the partner is being honest, you can ascertain the company's security maturity. However, nothing beats a physical audit where you are allowed to scrutinise the potential vendor's or partner's computers and networks to verify its security practices. When I've conducted an audit, I've always discovered security risks that the company was either unaware of or did not share. If possible, secure the right to conduct security-policy reviews and the ability to do some limited auditing to assure the third party is following expected policy before you allow them access on your network. At the most security-minded organisations, security policies state that network access will be rejected if the third party does not meet a minimum level of security. How does your company's security policy treat third parties? The answer has quick insight to how the company treats its own security.

Join the newsletter!

Error: Please check your email address.

Tags Security ID

Show Comments
[]