You’re only as secure as your business partners

The successful hack attacks on RSA and Sony have served as wake-up calls to the world’s CEOs. Both attacks, aptly dubbed “reputational events,” have resulted in hundreds of millions — potentially billions — of dollars in lost revenue. Restoring a company’s good reputation after these types of incidents is not easy; sometimes it’s impossible.

Almost every company could be owned just as RSA and Sony were, even firms that embrace the security best practices I’ve advocated for the past 20 years, including better end-user education, faster and more inclusive patching, stronger authentication, improved monitoring, and quicker response to incidents. Of course, my regular readers have been taken all these important measures for a long time — but how about your partners? If they haven’t, they might well be putting your organization at risk.

[ Download Roger Grimes’s new “Data Loss Prevention Deep Dive” PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

Most companies have a few to dozens of interconnected partners and vendors that have access, sometimes at the admin level, to their network and computers. By that definition, any vendor’s network should be considered an extension of your own. Thus, if I’m a dedicated hacker and I know you have lots of vendors and partners, I’m attacking the weakest link in the chain.

The dedicated RSA attackers compromised the company to ultimately hack its customers. Many of us have had our networks attacked by malware due to visiting vendor’s infected laptop or USB key. Much of the data lost over the past decade can be traced back to the partners who were entrusted to safeguard the data.

My first word of advice: Ask your partners and vendors whether they maintain the same level of security as you do, if not better. More important, make them prove it. Don’t simply ask them to read your security policies and agree to abide by them, especially not just as a paperwork formality that everyone must undergo in order to work together.

A good starting point is to interview the vendor or partner and ask about the company’s security policies, computers, and networks. An interview is no substitute for auditing, but as long as the partner is being honest, you can ascertain the company’s security maturity.

However, nothing beats a physical audit where you are allowed to scrutinize the potential vendor’s or partner’s computers and networks to verify its security practices. When I’ve conducted an audit, I’ve always discovered security risks that the company was either unaware of or did not share. If possible, secure the right to conduct security-policy reviews and the ability to do some limited auditing to assure the third party is following expected policy before you allow them access on your network. At the most security-minded organizations, security policies state that network access will be rejected if the third party does not meet a minimum level of security.

How does your company’s security policy treat third parties? The answer has quick insight to how the company treats its own security.

This story, “You’re only as secure as your business partners,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.