Without naming names, what are the most egregious issues you’ve discovered when verifying a vendor’s security?

Security & GRC Third Party Risk Management (TPRM)Risk Management+1 more

2.8k views3 Comments

Sort By:

Oldest

HEAD IT in Consumer Goods7 months ago

Apache web server Admin open with default user name & password.
In Local LAN DHCP is configured with a public IP pool not owned by the vendor.
The firewall admin dashboard is accessible from the Public IP.

Head of Information Security in Manufacturing7 months ago

When verifying a vendor's security, several egregious issues often come to light, which can significantly impact the vendor's security posture and their clients. These include:

1. Lack of Encryption: Data is not adequately encrypted, risking unauthorized access.
2. Weak Access Controls: Access is too lenient or poorly managed, leading to potential unauthorized access.
3. Outdated Systems: Vendors fail to update or patch systems, leaving known vulnerabilities open.
4. No Incident Response: The absence of a solid incident response plan means unpreparedness for handling breaches.
5. Poor Segmentation: Inadequate network segmentation facilitates easier lateral movement for attackers.
6. Non-compliance: Vendors not adhering to industry standards and regulations question their security commitment.
7. Weak Authentication: Lack of strong authentication methods, like multi-factor authentication, makes systems easily accessible.
8. Lack of Training: Employees without proper security training can unintentionally cause breaches.
9. Insufficient Privacy Measures: Poor handling of personal data can lead to privacy violations.
10. Ineffective Vendor Management: Not assessing risks from their vendors (fourth-party risk) introduces hidden vulnerabilities.

... to name some issues I have seen in my 30 years in information security.

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

Peer Discussions and Polls
One-Minute Insights
Connect with like-minded individuals

Senior VP & CISO7 months ago

NO security program, ciso, policy

Content you might like

What is your primary deciding factor in adopting enterprise search?

Strategy & Architecture Cloud End-User Services & Collaboration+26 more

TCO19%

Pricing26%

Integrations21%

Alignment with Cloud Provider7%

Security10%

Alignment with Existing IT Skills4%

Product / Feature Set7%

Vendor Relationship / Reputation

Other (comment)

View Results

5.7k views3 Upvotes1 Comment

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Applications & Platforms Cloud Data & Analytics+15 more

Head of Enterprise Architecture MERCK Group in Healthcare and Biotecha year ago

Strategy & Architecture

When staffing cybersecurity roles, have you had success with hiring candidates who lack technical experience? If so, what made that strategy effective?

Talent Sourcing & Hiring Security & GRC Security Strategy & Roadmap

CISO in Energy and Utilities9 days ago

Mentorship is crucial, especially when leading a relatively new team. I've intentionally built a team where nearly 80% are under 35. I sought out young, hungry, and energetic individuals who bring fresh perspectives and a ...read more

170 views1 Upvote1 Comment

What's a greater concern for returning to the office? Comment how you are prioritizing...

People & Leadership Strategy & Architecture Cloud+29 more

Human Factors (fears, mental health, physical spacing)85%

Technical / IT Factors (on-premise tools, pivoting back away from remote)14%

3.7k views3 Upvotes2 Comments

How do you see the CISOs role in building trust across the business?

Security & GRC Security Strategy & Roadmap Business Relationships

CISO13 days ago

CISOs play a crucial role in organizations, as data and information protection falls under their responsibility. Building trust across the organization is essential for maintaining a strong cybersecurity posture.

Collaboration ...read more