What Risk Do Your Third-Party Vendors Pose From Chinese Cyberspies?


Earlier this morning I read an interesting article entitled “Chinese Cyberspies Are Hacking Into America’s Small Businesses.” I encourage you to read the entire article, but here’s the gist…

“A wide range of small businesses and institutions — from pizza restaurants and medical clinics to synagogues and universities — have been both victims and unwitting accomplices in sophisticated cyber espionage campaigns being carried out by hackers in China.”

It is one thing to hear how nation-states (eg. China, Russia, US, UK, Israel, Syria, Iran, etc.) are employing computers and computer networks to wage cyberwars against one another. However, figuring out how to use innocent, and otherwise unsuspecting, non-combatants takes everything to another level.

These days, it is viturally impossible for your organization to exist without making heavy use of the Internet; and the larger your enterprise, the more dependent you are. It is this dependency and participation within this greater network that exposes you to risks, once considered unimaginable, that now must be considered everyday concerns.

Thanks to the ability of the “bad-guys” to cover their respective tracks by masquerading as innocent bystanders (a.k.a. using human shields), it has never been more important for all of us to band together for the good of our collective security. Gone are the days when we could ignore the security policies of even our smallest third-party vendors, suppliers, or trading partners. With the ability to literally be attacked from anywhere, the only way we can protect ourselves is to demand that all of our partners, from the largest to the smallest, take responsibility themselves. As we have seen, no business / enterprise / organization is too big to become the unwitting attack vector, and it is likely the smallest will become the most attractive targets to exploit.

Are you doing everything you can, through your vendor risk management program, to help your partners help you by helping themselves? Information security risk needs to be a “top-of-mind” issue for you and all of your third-party partners. An easy way to get started is through the use of industry standard self-assessments, like ISO 27001/2. Protecting the security of your enterprise cannot be achieved through isolationism. If you are not doing so already, now is the time to ask all of your partners (large and small) to step-up and demonstrate how they are actively working to protect the systems, networks, and interconnected tools we all use.

About the author:

Tal Golan (@TalGolan) is the Chief Strategy Officer at VERB.