Vendors’ lax security could let in hackers

Make text smaller Make text larger

  • Vendor risk warning: Stephen Bull, managing director of ICS

    Vendor risk warning: Stephen Bull, managing director of ICS


Companies could be hacked because of the weak cyberdefences of people they do business with.

That is the warning from Stephen Bull, managing director of Bermudian firm Independent Consulting Solutions, who added that even a careless act by a vendor could result in an expensive breach.

However, he said too few companies were paying serious attention to vendor risk.

“Substandard security practices or simple carelessness on the part of a vendor can expose a company’s sensitive data to malicious actors, creating unacceptable financial, operational, reputational, and legal risk,” Mr Bull said.

“Also, it’s important to remember that risk can extend over a substantial period of time. Malware might not only do immediate damage, but also might lurk unseen within a company’s systems, later to infect the company or to be transmitted to another company.”

Mr Bull says vendor security ratings are a critically important tool that provides essential knowledge of different companies’ security performance and how that performance compares to similar organisations and to your own.

“Successful companies thrive within an ecosystem of complementary vendors of products and services,” Mr Bull said.

“Lax cybersecurity practices on the part of one vendor, however, could put all companies within an ecosystem at risk.”

A modern vendor risk management strategy must meet three sets of needs to be effective. These include speed, scale and collaboration.

“Unfortunately, only a minority of companies are paying sufficient attention to the state of security at the companies with which they do business,” Mr Bull said. “In many cases, companies have been holding back because of the perceived need to increase budget and staff to perform VRM tasks.

“Indeed, many approaches to VRM require significant commitments of time and resources — not only to set up the programme, but also to perform audits, assessments, and ongoing monitoring.”

Many organisations would be hard-pressed to find people with the right skills to track cybersecurity risks through a VRM system, he added.

Gartner estimates that by 2020, 75 per cent of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputational risk.

Continuous monitoring of vendors’ cybersecurity was a necessary part of a VRM programme that was often lacking, Mr Bull added. And all vendors had to be included, not just the top tier.

ICS partners with US security ratings expert BitSight and recently held a number of information sessions at its Burnaby Street offices.

Mr Bull added: “Because new attacks are emerging all the time, knowledge of the latest attacks and attack vectors must go hand in hand with rapid response procedures.

“For example, when a major attack such as WannaCry hits, a company must know immediately whether its corporate vendors and partners are vulnerable or affected.”

For more information, contact Glyn Hoskins-Turner, international director, client relationship management at ght@icsbermuda.com

You must be registered or signed-in to post comment or to vote.

Published Nov 14, 2017 at 8:00 am (Updated Nov 13, 2017 at 11:55 pm)

Vendors’ lax security could let in hackers

What you
Need to
Know
1. For a smooth experience with our commenting system we recommend that you use Internet Explorer 10 or higher, Firefox or Chrome Browsers. Additionally please clear both your browser's cache and cookies - How do I clear my cache and cookies?
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service
7. To report breaches of the Terms of Service use the flag icon

  • Take Our Poll

    Today's Obituaries