Do You Know How Secure Your Software Vendors Are?

September 26, 2017 - 5 Comments

Third parties remain a critical source of security risk.  The recent discovery of malware embedded within the consumer application CCleaner, discovered by Cisco’s Talos cybersecurity research team, reminds us that cyber hygiene lies not just within ourselves.

Talos stated in its September 18th Update: “Supply chain attacks are a very effective way to distribute malicious software into target organizations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. Therefore, as we leverage the capabilities of third party software, this trust relationship is then abused to attack organizations and individuals.”

Those who seek to gain access to information for control, economic gain or espionage are capitalizing on the benefit of attacking the ‘weakest link of the chain.’  The value chain, that third-party ecosystem to which each of us is intimately connected in a digital economy, must be part of your security hygiene.

How, then are end users, both consumers and enterprises alike, to protect themselves?
While deploying a lock on the front door to your systems via antivirus protection is a basic hygiene mandate, attacks can still succeed via your third-party providers—as illustrated by CCleaner.

Consider these essential third-party hygiene steps:

  1. Know who is supplying you with what
  2. Assess the assurance practices used by those third parties and how transparent they are about their security practices
  3. Seek public information on how those suppliers measure up against cybersecurity benchmarks.

Vigilance will not always succeed, but not turning a blind eye to exactly who you are letting “touch your stuff” and how they address security is now an imperative!  Cisco drives a comprehensive value chain security architecture across our ecosystem.  In collaboration with our third parties, we (i) reduce risk via protection techniques, (ii) monitor security practices and (iii) ensure swift sharing of by third parties of their security incidents in order to minimize impact and foster swifter mitigation collectively.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Thanks, Edna, for once again saying ‘out loud’ what many of us are thinking! Vendors of all types, as well as third party service providers seem to run the gamut of extremely diligent, compliant and supportive of their customer’s security (and Privacy) requirements, to laissez-faire, or worse, arrogant and dismissive when presented with a binding list of protective obligations.

    I’ve turned vendors away who’ve refused to commit to our security controls requirements, wondering how, especially given the very public data breaches we keep hearing about and the legislative requirements we’re responsible for complying with – how they even stay in business!

    Who among us is signing up to partner with these vendors without demanding their due diligence, putting their companies at serious risk and enabling their bad behaviors? It’s time we ALL demand more from those we entrust with our valuable assets. That collective pressure for better collaboration and stronger, compliant controls will help drive our vendors and providers to the level of strong security that they must provide to all of us, and that we require to manage our risk.


  2. Excellent points! These same practices extend to subsidiaries, partners, and the risk assessment process for mergers & acquisitions. Thank you.

  3. Thank you for the insight on the sharing of this BLOG! The essential third-party hygiene steps are well noted and will be adhered to. Thank you.