When the money is scarce, you have a difficult choice to make. Whether that money is well spent in Cyber Security or for the growth of the organization. Large organizations have a well-funded cyber security group, but organizations that are not large do not often have that liberty. They work on low margins, or have cash flow or P&L issues that they are dealing with. I am not saying that was the case with "Shift Digital", a Volkswagen vendor that cased the leak of 3.3Million customer's data. However it is a harsh reality that smaller organizations do not often have the funding, talent or focus to create a strong security practice.
Technology vendors and the organizations who use their products are on their toes all the time to find Zero Day vulnerabilities to mitigate them. This requires grit, board commitment, a talented cyber security team and funding at the least. Hacker groups have possibility realized that not every organization is able to create strong security controls and are exploiting that. Volkswagen did not reveal much about the details on how the data was left open by Shift Digital as they must be busy doing the damage control and creating a public statement to save the face. Earlier it was the emissions scandal, now this.
This raises important questions on selection of vendors and organizational processes. How should a vendor be selected? Apart from meeting business requirements, what other requirements must a vendor meet? Whether the client organization have control groups that look at Physical Security, Cyber Security, Privacy, subcontractors of the vendors, whether the vendor and subcontractors are compliant with GDPR, PCI-DSS, HIPAA, US SSAE16, whether the vendor is consistently patching their software, hardware they use to provide service, whether the SOC2 reports are regularly reviewed and gaps noted? Basically, does the client organization has an auditable process that reviews the vendor's security controls and gaps on a regular basis?
If a vendor is not able to meet the control requirements, then do not increase the organizational dependency and exposure of organizational data on that vendor. Weak cyber security posture of the vendor presents a great risk.
Being an advocate of better vendor relationships, we suggest that every organization must include vendors and suppliers in their cyber security strategy. If a vendor has access to organizational data, it must go through the stringent supplier selection or product selection process. When the going gets tough, the tough get going.