The successful hack attacks on RSA and Sony have served as wake-up calls to the world's CEOs. Both attacks, aptly dubbed "reputational events," have resulted in hundreds of millions -- potentially billions -- of dollars in lost revenue. Restoring a company's good reputation after these types of incidents is not easy; sometimes it's impossible.
Almost every company could be owned just as RSA and Sony were, even firms that embrace the security best practices I've advocated for the past 20 years, including better end-user education, faster and more inclusive patching, stronger authentication, improved monitoring, and quicker response to incidents. Of course, my regular readers have been taken all these important measures for a long time -- but how about your partners? If they haven't, they might well be putting your organization at risk.
[ Download Roger Grimes's new "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
Most companies have a few to dozens of interconnected partners and vendors that have access, sometimes at the admin level, to their network and computers. By that definition, any vendor's network should be considered an extension of your own. Thus, if I'm a dedicated hacker and I know you have lots of vendors and partners, I'm attacking the weakest link in the chain.
The dedicated RSA attackers compromised the company to ultimately hack its customers. Many of us have had our networks attacked by malware due to visiting vendor's infected laptop or USB key. Much of the data lost over the past decade can be traced back to the partners who were entrusted to safeguard the data.