Vendors’ lax security could let in hackers

  • Vendor risk warning: Stephen Bull, managing director of ICS

Companies could be hacked because of the weak cyberdefences of people they do business with.

That is the warning from Stephen Bull, managing director of Bermudian firm Independent Consulting Solutions, who added that even a careless act by a vendor could result in an expensive breach.

However, he said too few companies were paying serious attention to vendor risk.

“Substandard security practices or simple carelessness on the part of a vendor can expose a company’s sensitive data to malicious actors, creating unacceptable financial, operational, reputational, and legal risk,” Mr Bull said.

“Also, it’s important to remember that risk can extend over a substantial period of time. Malware might not only do immediate damage, but also might lurk unseen within a company’s systems, later to infect the company or to be transmitted to another company.”

Mr Bull says vendor security ratings are a critically important tool that provides essential knowledge of different companies’ security performance and how that performance compares to similar organisations and to your own.

“Successful companies thrive within an ecosystem of complementary vendors of products and services,” Mr Bull said.

“Lax cybersecurity practices on the part of one vendor, however, could put all companies within an ecosystem at risk.”

A modern vendor risk management strategy must meet three sets of needs to be effective. These include speed, scale and collaboration.

“Unfortunately, only a minority of companies are paying sufficient attention to the state of security at the companies with which they do business,” Mr Bull said. “In many cases, companies have been holding back because of the perceived need to increase budget and staff to perform VRM tasks.

“Indeed, many approaches to VRM require significant commitments of time and resources — not only to set up the programme, but also to perform audits, assessments, and ongoing monitoring.”

Many organisations would be hard-pressed to find people with the right skills to track cybersecurity risks through a VRM system, he added.

Gartner estimates that by 2020, 75 per cent of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputational risk.

Continuous monitoring of vendors’ cybersecurity was a necessary part of a VRM programme that was often lacking, Mr Bull added. And all vendors had to be included, not just the top tier.

ICS partners with US security ratings expert BitSight and recently held a number of information sessions at its Burnaby Street offices.

Mr Bull added: “Because new attacks are emerging all the time, knowledge of the latest attacks and attack vectors must go hand in hand with rapid response procedures.

“For example, when a major attack such as WannaCry hits, a company must know immediately whether its corporate vendors and partners are vulnerable or affected.”

For more information, contact Glyn Hoskins-Turner, international director, client relationship management at